Privacy Daily is a service of Warren Communications News.
Subscriber Login

Health Care Customers Informed of Data Breach Nearly Three Years Later, Attorneys Allege

July 24, 2025 |Data Security

A Massachusetts-based health care provider discovered a data breach late in November 2022 and "promptly" reported it to federal authorities and state regulators, it said; however, it only began alerting affected customers this month, a law firm investigating the incident on behalf of potential victims said Tuesday.

Sign up for a free preview to unlock the rest of this article

Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.

Start My Free Preview

DotHouse detected "suspicious activity in its computer systems" in Nov. 2022, but started notifying "affected individuals ... around July 14, 2025, which may have violated state and federal laws," Schubert Jonckheer lawyers said in a release.

DotHouse didn't respond to our question about why it took more than two years to notify customers of the breach.

In its recent notification letter, it said "we reported the event to law enforcement and regulators" upon discovery of the breach in November 2022.

The breach may have exposed the personal information of more than 185,000 customers, Schubert Jonckheer alleged. Data may have included medical record numbers, diagnosis/conditions, medications, treatment details and claim information, it added.

Vermont's AG Office reported the breach on July 14, attaching a sample notification letter to its report.

DotHouse said it "became aware that certain computer systems in our environment were exhibiting suspicious activity" on November 28, 2022. "Upon identifying the event, we promptly launched an investigation ... while we worked quickly to secure our systems," it continued in the letter.

The investigation found "an unknown actor gained access to certain systems between October 31, 2022, and November 27, 2022, and appeared to have accessed or downloaded certain files ..." but "DotHouse’s electronic medical records database was not impacted during the event."

DotHouse said it's offering "complimentary credit monitoring and identity restoration services" to impacted individuals, and that "the privacy and security of information is amongst our highest priorities."