Elara Caring Data Breach Exposes Social Security Numbers and Medical Records

Healthcare data breach illustration
Breach Discovery: 12th December 2025Breach Notification: 12th May 2026

What Happened in the Elara Caring Data Breach?

Elara Caring, one of the largest providers of home-based care services in the country, has confirmed a data breach that exposed sensitive patient information. The breach did not originate inside Elara’s own network. Instead, it happened through a third-party vendor that handled documents containing patient data.

According to the company, the unauthorized access occurred during two separate windows of time. The first period ran from Nov. 4 to Nov. 6, 2025. The second happened between Nov. 14 and Nov. 17, 2025. During these windows, an unauthorized actor accessed and downloaded documents containing patient information from the vendor’s system.

Elara Caring learned about the incident on Dec. 12, 2025, when the vendor notified the company. As a result, Elara launched an internal investigation to determine exactly what information was involved. The company also worked to identify which patients were affected by the exposure.

Importantly, Elara has stated that its own internal systems were not compromised. This means the breach was contained entirely to the vendor’s environment. However, because the vendor stored Elara patient records, the impact still reached thousands of individuals across the country.

Who was affected?

The breach affected patients whose information was stored within the compromised vendor’s system. Because Elara Caring provides home-based care services nationwide, the exposure reached individuals across multiple states rather than one isolated region.

Elara reported that 10,490 individuals were affected in total across the United States. Of those, 3,311 were Texas residents and 1,143 were Massachusetts residents. Interestingly, a later filing with the Texas Attorney General updated the Texas figure to 2,631 individuals. It is not yet clear whether this change reflects a corrected total or an additional number of impacted residents.

Because this breach involves home-based care patients, the affected population may include elderly individuals and others who rely on in-home medical services. These groups can be especially vulnerable to identity theft and scams, which makes timely awareness and action even more important.

What Information Was Potentially Exposed?

The breach exposed a range of sensitive personal and medical information. This combination of data types makes the exposure particularly serious, since it includes both identity-related details and health information.

  • Full names
  • Home addresses
  • Dates of birth
  • Medical records
  • Health insurance information
  • Social Security numbers

Because Social Security numbers were included, affected individuals face a heightened risk of identity theft. Criminals can use this information to open new credit accounts, file fraudulent tax returns, or apply for loans in someone else’s name. In addition, combining a Social Security number with a date of birth and address makes fraudulent impersonation even easier to carry out.

The exposure of medical records and health insurance information adds another layer of risk. For example, stolen health insurance details can be used to commit medical identity theft, where a criminal receives treatment or submits claims under someone else’s name. This type of fraud can be especially difficult to detect and may even affect a victim’s own medical records.

What is the company doing?

Once Elara Caring learned of the breach, the company began investigating to determine the scope of the exposure. This included working to confirm which specific individuals had information involved in the incident.

After completing its review, Elara mailed notification letters to affected individuals on May 12, 2026. In response to the breach, the company is offering 24 months of complimentary credit monitoring and identity remediation services through Cyberscout, a TransUnion company. Each affected person received a unique enrollment code within their notification letter.

Elara has also set up a dedicated call center for anyone with questions about the breach. Representatives are available Monday through Friday from 8 a.m. to 8 p.m. Eastern time, excluding major U.S. holidays. This gives affected individuals a direct way to get help enrolling in the offered protection services.

What Should Affected Individuals Do?

Enroll in the Free Credit Monitoring

If you received a notification letter from Elara Caring, you should enroll in the complimentary credit monitoring service right away. This service, provided through Cyberscout, can help detect suspicious activity tied to your identity before it causes serious harm.

To enroll, simply use the unique code included in your letter. Because the monitoring lasts 24 months, you have time to sign up, but acting quickly gives you the most protection during the period when your risk is highest.

Place a Fraud Alert or Credit Freeze

Since Social Security numbers were exposed, placing a fraud alert or credit freeze is strongly recommended. A fraud alert requires creditors to verify your identity before opening new accounts, while a credit freeze blocks access to your credit file entirely.

You can request either option for free through each of the three major credit bureaus. As a result, this extra layer of protection makes it much harder for identity thieves to open accounts using your stolen information.

Watch for Medical and Insurance Fraud

Because medical records and health insurance information were involved, you should closely review any statements from your health insurer. Look for unfamiliar claims, unknown providers, or services you never received.

If you notice anything suspicious, contact your insurance provider immediately. In addition, request a copy of your medical records periodically to check for inaccuracies that could result from fraudulent use of your information.

Stay Alert for Phishing Attempts

After a breach like this, scammers often try to take advantage of victims through phishing emails, texts, or phone calls. These messages may pretend to be from Elara Caring, a credit bureau, or a government agency.

Therefore, avoid clicking links or sharing personal details in response to unexpected messages. Instead, verify any communication by contacting the organization directly using a known, official phone number or website.

Monitor Your Credit Reports Regularly

You are entitled to a free credit report from each major bureau every year, and checking them regularly can help you catch fraud early. Look for unfamiliar accounts, hard inquiries, or changes to your personal information.

If you find anything suspicious, report it to the credit bureau and consider speaking with a data breach attorney. An attorney can help you understand your legal options and whether you may qualify for compensation related to this incident.



More Information

Official Notice from Elara

HHS Office for Civil Rights Breach Notification Portal

Official State Attorney General Notification

Official Notice from Mass

Related Data Breaches