What Happened in the Manhattan Retirement Foundation Data Breach?
Manhattan Retirement Foundation, doing business as Meadowlark Hills, has confirmed a data breach that exposed sensitive personal and health information. Meadowlark Hills is a nonprofit retirement community and nursing facility located in Manhattan, Kansas. The organization disclosed that unauthorized access to its network occurred between July 12 and July 21, 2025.
According to the notification, an unknown party gained access to internal systems during that window. As a result, files containing personal and health details were exfiltrated from the network. The exact method used to breach the systems has not been publicly disclosed.
After detecting suspicious activity, Meadowlark Hills launched a forensic investigation to determine the scope of the intrusion. That investigation concluded on January 28, 2026. Following this review, the organization confirmed that sensitive data had indeed been taken from its systems, prompting formal breach notifications to regulators and affected individuals.
Because the breach involved protected health information, Meadowlark Hills filed disclosures with the Massachusetts Office of Consumer Affairs and Business Regulation. In addition, the organization notified the U.S. Department of Health and Human Services, as required under HIPAA regulations. These filings confirm the breach affected people across the country, not just within Kansas.
Who was affected?
The Manhattan Retirement Foundation data breach affected 14,442 individuals nationwide. This total includes at least one resident of Massachusetts, based on that state’s regulatory filing. Because Meadowlark Hills operates a retirement community and nursing facility, those affected likely include current and former residents, patients, and possibly staff members.
Given the nature of the facility, many affected individuals are likely older adults who may be especially vulnerable to identity theft and financial scams. The notification does not specify whether employees, contractors, or family members tied to billing accounts were also included. As a result, anyone who received care or services through Meadowlark Hills should consider themselves potentially affected until they confirm otherwise.
What Information Was Potentially Exposed?
The breach exposed a wide range of personally identifiable information and protected health information. This combination makes the incident particularly serious, since it includes both financial and medical data types that are highly valuable to identity thieves.
- Full names
- Social Security numbers
- Dates of birth
- Driver’s license or state identification numbers
- Other government identification numbers
- Financial account details
- Credit or debit card information
- Medical information
- Health insurance policy information
Because Social Security numbers and financial account details were exposed, affected individuals face a heightened risk of identity theft and fraudulent account openings. Criminals can use this combination of data to apply for credit cards, loans, or government benefits in someone else’s name. In addition, exposed driver’s license and government ID numbers make it easier for fraudsters to impersonate victims in other contexts, such as opening utility accounts or filing fraudulent tax returns.
The exposure of medical information and health insurance policy details adds another layer of risk. This means affected individuals could become targets of medical identity theft, where someone uses stolen health insurance information to obtain treatment or equipment. Such fraud can be difficult to detect and may even contaminate a victim’s medical records with inaccurate information, potentially affecting future care.
What is the company doing?
In response to the breach, Meadowlark Hills completed a thorough investigation to determine which systems and individuals were affected. Once the investigation concluded, the organization began sending written notifications to affected individuals on or about February 26, 2026. This step fulfilled its legal obligations under both state and federal breach notification laws.
Meadowlark Hills also posted a public notice describing the incident on its website. Furthermore, the organization filed the required disclosures with the Massachusetts Office of Consumer Affairs and Business Regulation and the U.S. Department of Health and Human Services. These filings help ensure regulatory oversight and public transparency regarding the scope of the breach.
To help mitigate harm, Meadowlark Hills is offering complimentary single-bureau credit monitoring, credit reports, and credit score services to individuals whose Social Security numbers were involved. These services include alerts for changes to credit files, which can help detect fraud early. In addition, the organization has arranged proactive fraud assistance and remediation services through Cyberscout, a TransUnion company, at no cost to affected individuals.
Meadowlark Hills has also set up a dedicated toll-free response line for people with questions about the breach. Representatives are available Monday through Friday, from 8 a.m. to 8 p.m. Eastern time. This resource allows affected individuals to get personalized guidance about the incident and available protections.
What Should Affected Individuals Do?
Enroll in Credit Monitoring and Fraud Assistance
Anyone who received a notification letter should enroll in the complimentary credit monitoring service offered by Meadowlark Hills right away. This service can alert you to new accounts or suspicious changes in your credit file. Because enrollment periods are often time-limited, acting quickly helps ensure you don’t miss this free protection.
In addition, take advantage of the proactive fraud assistance and remediation services available through Cyberscout. These services can help you respond quickly if you notice signs of fraud. Combining monitoring with expert remediation support gives you a stronger safety net against identity theft.
Place a Fraud Alert or Credit Freeze
Because Social Security numbers and financial account details were exposed, placing a fraud alert on your credit file is a wise precaution. A fraud alert requires creditors to verify your identity before opening new accounts in your name. You can request this by contacting any one of the three major credit bureaus, since they will notify the others.
For even stronger protection, consider placing a security freeze on your credit files. A freeze prevents most lenders from accessing your credit report at all, which makes it much harder for criminals to open accounts. While a freeze requires a few extra steps when you apply for credit yourself, it offers one of the most effective defenses against identity theft.
Monitor Medical and Insurance Statements
Since medical information and health insurance policy details were exposed, it’s important to review statements from healthcare providers and insurers closely. Look for unfamiliar charges, unrecognized providers, or services you never received. If you spot anything suspicious, contact your insurer immediately to dispute the charges.
Medical identity theft can be harder to spot than financial fraud, so vigilance is essential. As a result, consider requesting a copy of your medical records periodically to check for inaccuracies. Catching problems early can prevent long-term complications with your health coverage or care history.
Watch for Phishing Attempts
After a breach like this, scammers often use stolen information to craft convincing phishing emails, calls, or texts. Be cautious of any message claiming to be from Meadowlark Hills, a credit bureau, or a government agency asking for personal details. Legitimate organizations rarely request sensitive information through unsolicited messages.
Instead, verify the identity of anyone contacting you by using official phone numbers or websites you find independently. For example, if you receive a suspicious call about this breach, hang up and call the dedicated response line directly. This simple habit can prevent you from becoming a victim of secondary scams tied to the original breach.
Review Your Credit Reports Regularly
Everyone affected should obtain and review their free annual credit reports from each of the three major bureaus. Look carefully for accounts you don’t recognize, unfamiliar inquiries, or incorrect personal information. Because identity thieves sometimes wait months before using stolen data, ongoing vigilance matters just as much as an immediate check.
If you notice anything unusual, dispute it with the credit bureau right away and keep detailed records of your communications. In addition, individuals concerned about their legal rights following this breach may want to consult a data breach attorney for a free case evaluation. An attorney can help clarify whether you qualify for compensation and what steps to take next.
More Information
Official Notice from Meadowlark
HHS Office for Civil Rights Breach Notification Portal
Official Data Breach Notification Letter (PDF)
