Innovative Pharmacy Packaging Corp and affiliated entities reported a data breach involving the protected health information (PHI) of 133,862 patients following unauthorized network access in September 2025.
Incident Identification and Investigation
Innovative Pharmacy Packaging Corp, IPPC of New York LLC, and Innovative Pharmacy LLC identified unusual network activity in September 2025. An internal investigation was initiated to determine the nature and scope of the activity. A forensic review confirmed that an unauthorized third party accessed the network between September 18, 2025, and September 19, 2025. The investigation determined that files were removed from the network during that period.
A detailed review of the affected files continued until February 9, 2026. The review established that the files contained personal data and PHI associated with affected individuals.
Scope of Compromised Information
The exposed information varies by individual. The compromised data may include names combined with other identifying and sensitive information. Data elements identified in the review include birth dates, driver’s license numbers, and government-issued ID numbers. Additional data elements include passport numbers, Medicare and Medicaid ID numbers, and individual taxpayer ID numbers.
The dataset may also contain medical record numbers and patient account numbers. Clinical information such as diagnosis, treatment details, and procedure information is included in the affected files. Prescription details, medical insurance information, and billing and claims information are also part of the compromised data.
Financial information is included in some cases. This may involve payment card information and financial account details. The affected records may also include provider names, admission and discharge dates.
Notification and Response Actions
As a HIPAA-covered entitly, IPPC issued notification letters to affected individuals beginning on April 1, 2026. The organization offered 24 months of credit monitoring and identity theft protection services to individuals whose information was involved. The offer is intended for individuals whose data was copied during the incident.
The organization reported that additional security measures have been implemented following the incident. Policy and procedure updates related to data privacy and security are also in progress.
Regulatory Reporting
The breach was reported to the United States Department of Health and Human Services Office for Civil Rights. The report confirms that PHI was exposed and may have been obtained by an unauthorized party.
