A threat actor is claiming to be selling a database allegedly stolen from Careficient, a U.S.-based electronic medical records (EMR) provider used by home health, hospice, and care management organizations. The listing, posted May 1, 2026, advertises more than 164,000 records containing patient and staff data.
The authenticity of the dataset has not been independently verified. However, the structure and fields described in the listing suggest the data may originate from a healthcare records system rather than a generic user database.
Dataset claims include SSNs, medical identifiers, and contact data
According to the threat actor, the dataset includes approximately 163,000 patient records and 1,200 staff records. The patient data reportedly contains highly sensitive fields including Social Security numbers, dates of birth, medical record numbers, contact details, and full address information.
Staff records are said to include email addresses, phone numbers, and authentication-related data such as hashed passwords and password salts.
If accurate, the combination of personally identifiable information and medical reference data would represent a high-risk exposure, particularly given the inclusion of SSNs and healthcare identifiers.
Structure aligns with EMR system exports
The dataset description outlines a structured format consistent with electronic medical record systems, including fields for patient identity, medical reference numbers, and organizational assignment. This type of schema is commonly used in healthcare platforms to manage patient records across agencies and care providers.
Unlike many breach listings that contain loosely defined or aggregated data, the presence of healthcare-specific identifiers such as MRNs alongside structured demographic and contact fields suggests the data may have originated from an internal system or export process.
Unclear how data was obtained
The threat actor did not provide details on how the data was allegedly obtained, and there is no indication whether the exposure resulted from a direct compromise of Careficient systems, a third-party integration, or misconfigured storage.
There is also no confirmation whether the dataset reflects current records or historical data.
Without additional technical detail or independent validation, the scope and origin of the dataset remain unclear.
Healthcare sector remains a high-value target
Healthcare systems continue to be a frequent target for data breaches due to the sensitivity and long-term value of patient data. Records that combine identity information with medical context are particularly valuable for fraud, identity theft, and targeted phishing campaigns.
Recent breach claims involving healthcare and patient data, including the alleged Choice Health insurance dataset leak and the confirmed CareCloud breach, show how access to healthcare systems and datasets can lead to large-scale exposure of sensitive patient information.
No public statement from Careficient
Careficient had not issued any public statement at time of publication regarding the alleged breach or the dataset being offered for sale.
Further investigation is required to determine whether the data is authentic and whether patients or organizations using the platform have been affected.
