Woundtech Data Breach Exposes Social Security Numbers and Medical Records

Healthcare data breach illustration
Breach Discovery: 6th December 2025Breach Notification: 16th March 2026

What Happened in the Woundtech Data Breach?

Woundtech, formally known as Wound Technology Network Inc., recently confirmed a data breach that exposed sensitive personal and medical information. The company became aware of unusual activity in its network environment on or about Dec. 6, 2025. As a result, Woundtech launched an internal review and brought in outside help to understand what had happened.

To investigate further, the company retained a third-party cybersecurity firm to conduct a forensic review of the incident. This review determined that unauthorized access to Woundtech’s systems occurred during a four-day window between Dec. 6, 2025, and Dec. 9, 2025. During that time, an unauthorized individual may have copied certain files from the company’s network.

By Dec. 31, 2025, investigators had confirmed that data was likely taken. However, Woundtech still needed to determine exactly which individuals and what information were involved. This process required a detailed, file-by-file review before notification letters could go out.

Notably, before Woundtech finished that internal review, a threat actor calling itself FulcrumSec posted claims about the breach on the open web on Feb. 1, 2026. The actor alleged it had stolen 3.8 terabytes of data, affecting more than 160,000 patients. This included claims of 4.6 million clinical notes, electronic medical record files, roughly 85,000 referral documents with full protected health information, and about 93,000 clinical wound images.

Woundtech completed its internal review on March 2, 2026, identifying the individuals who needed to be notified. The company then filed disclosures with several state attorneys general, including California, Texas, and Vermont, before beginning consumer notifications on March 16, 2026.

Who was affected?

The Woundtech data breach affected 139,830 individuals, according to disclosures filed with regulators. Among those impacted are 3,809 residents of Texas specifically. Because Woundtech provides wound care technology and services, most affected individuals are likely patients whose records passed through the company’s systems.

It is worth noting that the threat actor’s claims suggest an even larger number of patients, over 160,000, may have been touched by the intrusion. This discrepancy between the actor’s claims and the officially disclosed figure has not been fully explained. As a result, the true scope may still be evolving as further information becomes available.

The breach appears to span multiple states, given the involvement of attorneys general in California, Texas, and Vermont. Since Woundtech’s services relate to wound care and clinical treatment, the exposed population likely includes older adults and patients managing chronic conditions. This raises particular concern, since these individuals may already face health vulnerabilities that make privacy protection especially important.

What Information Was Potentially Exposed?

The specific information exposed varies from person to person. However, based on the company’s disclosures and the threat actor’s claims, the breach may have exposed a wide range of sensitive personal and medical details.

  • First and last name
  • Date of birth
  • Telephone number
  • Gender
  • Clinical notes
  • Medical health information
  • Medical treatment images and information
  • Medical diagnosis information
  • Health insurance information
  • Social Security numbers

Given this combination of data, the risk to affected individuals is significant. Social Security numbers, when combined with names and dates of birth, give criminals nearly everything they need to open new credit accounts or file fraudulent tax returns. Because this data rarely changes, the risk of misuse can persist for years after a breach occurs.

In addition, the exposure of clinical notes, diagnosis information, and treatment images creates a separate danger: medical identity theft. Someone could use stolen health insurance details to receive treatment under another person’s name. This type of fraud can corrupt medical records and lead to incorrect information appearing in a victim’s own health history, which can affect future care.

What is the company doing?

In response to the breach, Woundtech is mailing notice letters to every individual whose information was found in the affected files, provided the company has a valid mailing address on file. Each letter explains the specific categories of information exposed for that individual. This personalized approach helps recipients understand their particular level of risk.

Furthermore, Woundtech posted a notice on its website dated March 16, 2026, offering general information about the incident and steps consumers can take to protect themselves. For those who did not receive a letter but want to confirm whether they were affected, the company set up a dedicated assistance line at 833-297-3496. This line operates Monday through Friday, from 8:00 a.m. to 8:00 p.m. Eastern Time, excluding major U.S. holidays.

What Should Affected Individuals Do?

Protect Your Social Security Number

Anyone whose Social Security number was involved in this breach should take immediate action. Placing a credit freeze with all three major credit bureaus is one of the strongest protections available. A freeze blocks new creditors from accessing your credit file, which makes it much harder for criminals to open accounts in your name.

You can contact each bureau directly to request a freeze: Equifax at 1-888-298-0045, Experian at 1-888-397-3742, and TransUnion at 1-800-916-8800. Because freezes must be placed separately with each bureau, it is important to contact all three rather than just one. This ensures complete protection across every major credit file.

Monitor Your Medical Records and Insurance Statements

Because this breach exposed clinical notes, diagnosis information, treatment records, and health insurance details, affected individuals should watch their Explanation of Benefits statements closely. These statements come from your health insurance provider after any claim is processed. Reviewing them regularly can help you spot fraud early.

Specifically, look for any services, procedures, or treatments listed that you did not actually receive. If you notice anything unfamiliar, contact your insurance provider right away. Catching medical identity theft early can prevent lasting damage to your health records and insurance coverage.

Review Your Credit Reports Regularly

All affected individuals should make it a habit to check their credit reports for unusual or unauthorized activity. This is a simple but effective way to catch identity theft before it causes serious financial harm. Fortunately, free credit reports are available to everyone.

You can obtain your free reports at AnnualCreditReport.com or by calling 1-877-322-8228. Since each of the three bureaus may show different information, it is wise to check all three periodically throughout the year rather than relying on just one report.

Report Suspected Identity Theft

If you believe you have become a victim of identity theft following this breach, you have several options for reporting it. You can file a complaint with the Federal Trade Commission at identitytheft.gov or by calling 1-877-438-4338. This creates an official record and can help you build a recovery plan.

In addition, affected individuals have the right to file a police report and to contact their state attorney general for further guidance. Taking these steps promptly can strengthen your case if you later need to dispute fraudulent charges or accounts. Consulting a data breach attorney for a free case evaluation may also help you understand your legal options.

Stay Alert for Phishing Attempts

Following any large-scale data breach, scammers often use exposed contact details to launch targeted phishing attempts. Be cautious of unexpected calls, emails, or text messages claiming to be from Woundtech, your health insurer, or a credit bureau. Legitimate organizations will never pressure you to act immediately or share sensitive information over the phone.

Instead, verify any suspicious communication by contacting the organization directly through a known, official phone number or website. Because your name, phone number, and health details were potentially exposed, scammers may craft convincing messages referencing your actual medical history. Staying skeptical of unsolicited requests for personal information remains one of your best defenses.



More Information

Official Notice from Woundtech

HHS Office for Civil Rights Breach Notification Portal

Official State Attorney General Notification

Official State Attorney General Notification

Official Notice from Vermont

Official Notice from Woundtech

Related Data Breaches