Cyber Incident Victim: Excelas
Date:
Nov 2025
Location:
—
Summary
Excelas reported that an unauthorized actor accessed its systems and that suspicious activity was later detected, prompting an investigation with third‑party cybersecurity experts. The company said that data potentially exposed included names, dates of birth, Social Security numbers, government‑issued identification, medical and health information, medication details, medical record images, insurance information, and payment details. Individuals who received a breach notification were informed that their personal and protected health information may have been affected. It filed a notice of the incident with the Commonwealth of Massachusetts and began notifying potentially affected individuals. Edelson Lechtzin LLP is investigating the breach for a possible class action on behalf of those whose information may have been compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 27, 2025 an unauthorized actor gained access to certain systems operated by Excelas, and the intrusion persisted until December 3, 2025. Excelas did not detect the activity until January 28, 2026, when suspicious network behavior was observed. Following the detection, the company retained third‑party cybersecurity experts to conduct a forensic examination of the affected environment. The experts worked to determine the scope of the unauthorized access, to identify any data that may have been viewed or acquired, and to establish a timeline of the incident. Excelas subsequently began the process of notifying individuals whose information might have been involved and, on May 12, 2026, filed a formal notice of the breach with the Commonwealth of Massachusetts. The incident was publicly disclosed in a press release issued on May 19, 2026.
According to the information provided by Excelas, the data that could have been compromised includes names, dates of birth, Social Security numbers, government‑issued identification numbers, medical and health details, diagnosis information, medication information, medical record images, insurance information, and payment data. The breach potentially affects individuals who received a notification from Excelas regarding the incident, as those are the persons whose records were stored in the systems accessed by the unauthorized actor. Excelas operates as a provider of medical record organization and document management services for healthcare providers, insurers, and law firms, which explains the presence of the aforementioned categories of personal and protected health information in its environment. The breach was communicated to the public through a press release that outlined the types of information involved and the steps the company had taken to investigate the event.
In response to the breach, Edelson Lechtzin LLP, a national class action law firm with offices in Pennsylvania and California, announced that it is investigating privacy claims arising from the Excelas incident and is offering free consultations to individuals who received a breach notification. The firm stated that it will evaluate potential legal claims on behalf of those whose personal and protected health information may have been exposed, with the aim of pursuing appropriate legal remedies. Edelson Lechtzin LLP handles a variety of litigation areas, including securities and investment fraud, federal antitrust violations, ERISA employee benefit plans, wage theft, and consumer fraud, and it is applying its experience in data breach litigation to this matter. The firm encouraged affected individuals to contact it for a confidential case evaluation to discuss their rights and possible actions.