Data Breach Summary
Twin Cities Pain Clinic (TCPC), a pain management medical group in Minnesota, has reported a significant data breach resulting from a business email compromise (BEC) attack. The breach, discovered on July 9, 2025, involved suspicious activity in an employee’s email account, leading to unauthorized access of sensitive files stored in the clinic’s SharePoint environment.
Following the discovery of suspicious activity, TCPC engaged third-party digital forensics experts to investigate. On July 31, 2025, it was confirmed that a cybercriminal had accessed the employee’s email account and a limited number of files. A comprehensive review of the data found that the breach potentially exposed both personally identifiable information (PII) and protected health information (PHI).
The clinic conducted a thorough investigation and determined on August 19, 2025, that sensitive patient data had been compromised. On September 4, 2025, TCPC began notifying affected individuals by mail. The breach was also disclosed to the Massachusetts Attorney General’s office on the same day. The total number of affected patients has not yet been disclosed, though it is believed to involve thousands of individuals.
The breach potentially exposed the following types of sensitive information:
Full Names
Dates of Birth
Social Security Numbers
Contact Information (mailing addresses, email addresses, and phone numbers)
Financial Account Information
Health Insurance Information
Medical Record Numbers
Treatment Notes
Provider Information
Although the information varied across affected individuals, no evidence has been found to indicate that any data was downloaded or misused from TCPC’s systems. The clinic continues to emphasize that they are notifying affected individuals out of an abundance of caution.
If you believe you may have been affected by this breach, it is important to take proactive steps to protect your personal information. We encourage individuals to:
Monitor Financial Accounts: Regularly check your bank and credit card statements for unfamiliar transactions.
Review Explanation of Benefits: Carefully review any Explanation of Benefits (EOB) statements for suspicious claims or services.
Monitor Credit Reports: Take advantage of free credit reports to monitor for any signs of identity theft or fraudulent activity.
Report Suspicious Activity: Immediately report any suspicious activity to your insurance company, healthcare provider, and/or financial institution.
If you received a notification about the breach, you may want to explore your legal options. Twin Cities Pain Clinic responsibility to protect sensitive patient data has potentially exposed individuals to identity theft and other risks. You could be eligible to join a class action lawsuit against Twin Cities Pain Clinic for damages caused by the breach.
To determine if you qualify for the class action lawsuit or need further legal support, contact Class Action U for a free consultation. Our legal experts can help you navigate the next steps and ensure that your voice is heard in the fight for justice and accountability.
©2024 ClassActionU
