Clinical Registry Solutions Data Breach Exposes Social Security Numbers and Medical Data

Healthcare data breach illustration
Breach Discovery: 9th April 2026Breach Notification: Not Publicly Disclosed

What Happened in the Clinical Registry Solutions Data Breach?

Clinical Registry Solutions, a Brooklyn-based healthcare data management vendor, has disclosed a data breach affecting patient information it maintained for St. Mary’s Medical Center, a Dignity Health hospital. The company provides clinical data abstraction and registry support services to hospitals and health systems across the country. As a result, it handles sensitive patient records on behalf of its healthcare clients.

According to the company’s notification, CRS identified suspicious activity within its network on April 9, 2026. In response, the company moved quickly to secure its systems and launched an investigation into what had occurred. That investigation determined that an unauthorized party had accessed the network on that same date. During this intrusion, the attacker acquired certain files containing patient information belonging to St. Mary’s Medical Center.

On May 6, 2026, the ransomware group known as Akira claimed responsibility for the attack on a dark web leak site. The group stated it had stolen roughly 41 GB of data from Clinical Registry Solutions. Because dark web claims often exceed what a company later confirms, CRS’s own notification describes a more limited set of exposed patient data than what Akira publicized. This gap highlights why affected individuals should rely on the official notification for guidance on their specific exposure.

Who was affected?

The breach affects patients whose clinical data was processed by Clinical Registry Solutions on behalf of St. Mary’s Medical Center. Since CRS works as a data abstraction and registry vendor, the exposed individuals are primarily hospital patients rather than CRS employees or the general public. This means the breach reaches people who may not have known this vendor even held their records.

CRS has confirmed that 8,545 individuals in the United States were affected by this incident. In addition, the Akira dark web posting claimed to have also obtained employee personal information, client documents, financial records, and contracts. However, CRS’s notification to consumers focuses specifically on patient data, so the scope for employees and business partners has not been publicly detailed in the same way.

What Information Was Potentially Exposed?

Based on the official notification, the exposed patient information includes several categories of highly sensitive data. This combination of identifiers and medical details makes the exposure particularly serious for those affected.

  • First and last names
  • Social Security numbers
  • Driver’s license numbers
  • Medical record numbers
  • Procedure dates

Separately, the Akira group’s dark web claims referenced additional data types, including passports, health data, financial records, payment details, and non-disclosure agreements. These claims have not been fully confirmed by CRS in its consumer-facing notification. Still, they suggest the overall intrusion may have touched a broader set of records than what was disclosed to patients directly.

Because Social Security numbers and driver’s license numbers were confirmed exposed, affected individuals face a real risk of identity theft. Criminals can use this data to open new credit accounts, file fraudulent tax returns, or apply for loans in someone else’s name. As a result, this type of exposure often has long-lasting consequences that go beyond a single fraudulent charge.

In addition, the presence of medical record numbers and procedure dates raises the risk of medical identity theft. This occurs when someone uses stolen health information to obtain medical services, prescriptions, or insurance benefits under another person’s name. Consequently, victims may later discover inaccurate information in their own medical records, which can complicate future treatment.

What is the company doing?

After discovering the intrusion, Clinical Registry Solutions took immediate steps to secure its network and stop further unauthorized access. The company then conducted a thorough investigation to determine exactly which files and individuals were affected. This process ultimately led to the confirmed count of 8,545 impacted individuals in the United States.

Following the investigation, CRS notified affected individuals and reported the incident to multiple state regulators, including the California Attorney General, the Massachusetts Attorney General, and the Nebraska Attorney General. To manage the response, CRS enlisted Cyberscout, a TransUnion company, to handle notification letters and ongoing support. Each notification letter included guidance on protective steps such as placing fraud alerts, requesting credit freezes, and monitoring credit reports.

In addition, CRS established a dedicated call center through Cyberscout so affected individuals can ask questions about the incident. The call center operates Monday through Friday from 8:00 a.m. to 8:00 p.m. EST, excluding major U.S. holidays, at 1-800-405-6108. Individuals can also reach the company by mail at its Brooklyn, New York office.

What Should Affected Individuals Do?

Monitor Your Credit Reports Closely

Because Social Security numbers and driver’s license numbers were exposed, affected individuals should watch their credit reports carefully in the months ahead. Unexpected new accounts, unfamiliar inquiries, or sudden score changes can all signal fraudulent activity. Reviewing your credit report regularly gives you a chance to catch problems early.

You can request free credit reports from each of the three major credit bureaus. In addition, many financial institutions now offer free credit monitoring tools through their banking apps. Checking these reports at least once every few months makes it much easier to spot suspicious activity before it grows into a larger problem.

Consider a Fraud Alert or Credit Freeze

Given that this breach exposed both Social Security numbers and driver’s license numbers, placing a fraud alert or credit freeze is a strong protective step. A fraud alert requires creditors to verify your identity before opening new accounts in your name. A credit freeze goes further by restricting access to your credit file entirely, which makes it harder for identity thieves to open accounts.

You can request a fraud alert through any one of the three credit bureaus, since they are required to notify the others. Similarly, you can place a credit freeze directly with each bureau, usually free of charge. Because these protections can be lifted temporarily when you need to apply for credit yourself, they do not have to disrupt your normal financial life.

Protect Against Medical Identity Theft

Since medical record numbers and procedure dates were exposed, affected individuals should also watch for signs of medical identity theft. This can include unfamiliar bills, unexpected insurance claims, or incorrect information appearing in your medical files. Reviewing statements from your health insurer regularly can help you catch these issues quickly.

If you notice anything unusual, contact your healthcare provider and insurer right away to correct the record. In addition, you may want to request a copy of your medical records to confirm their accuracy. Taking these steps early can help prevent long-term complications with both your health records and your insurance coverage.

Stay Alert for Phishing Attempts

After a healthcare data breach like this one, scammers often use stolen information to craft convincing phishing emails, texts, or phone calls. These messages may reference your medical provider, procedure dates, or other real details to appear legitimate. Because of this, it’s important to treat unexpected communications with caution, even if they look official.

Never click links or share personal information in response to unsolicited messages. Instead, contact the organization directly using a verified phone number or website. If you’re ever unsure whether a message is legitimate, it’s safer to verify first rather than respond immediately.

Consult a Data Breach Attorney

Given the sensitivity of the exposed data, affected individuals may want to speak with a data breach attorney about their legal options. Many attorneys offer free case evaluations, so there is little downside to asking questions about potential compensation. This is especially relevant if you experience direct financial or medical harm connected to this incident.

An attorney can help you understand whether you qualify to join existing legal action or file an individual claim. In addition, they can advise you on documenting any losses tied to the breach. Because deadlines for legal claims can vary by state, it’s wise to seek advice sooner rather than later.



More Information

Official Source

Official Source

Official Source

Official Data Breach Notification Letter (PDF)

Official Data Breach Notification Letter (PDF)

Related Data Breaches