Claxton-Hepburn Medical Center Data Breach Exposes Patients' Health Info

On August 31, 2023, Claxton-Hepburn Medical Center (CHMC) in Ogdensburg, New York, experienced a cybersecurity incident that disrupted its network operations. An immediate investigation was launched to determine the scope and impact of the incident.

The investigation revealed that an unauthorized party had accessed certain systems within the hospital’s network environment. By September 6, 2023, it was determined that personal information for specific individuals may have been accessed or acquired.

Affected individuals were notified on November 1, 2023, and a public notice was posted on the hospital’s website. However, the review of affected network locations continued, and on January 27, 2025, CHMC discovered that additional files containing sensitive information had been accessed or acquired during the August 31, 2023 incident.

The types of information exposed in this breach include both personally identifiable information (PII) and protected health information (PHI): names, addresses, dates of birth, Social Security numbers, medical information, health insurance information, and medical diagnosis information.

This combination of PII and PHI increases the risk of identity theft and medical fraud for those affected.

Claxton-Hepburn Medical Center's response

The hospital contained the network intrusion and engaged leading third-party cybersecurity experts to conduct a thorough investigation. Law enforcement was also notified. As a result of this incident, CHMC reset all user passwords and enabled multi-factor authentication across its systems to further enhance security.

For individuals whose information was involved in the breach, CHMC is offering complimentary one-year credit monitoring and identity theft protection services through Cyberscout, a TransUnion company. These services include credit monitoring, credit report access, credit score services, and proactive fraud assistance. Affected individuals are encouraged to enroll within 90 days of receiving their notification letter.

CHMC recommends that all potentially affected individuals remain vigilant by regularly reviewing their financial account statements, explanation of benefits, and credit reports for any unusual or unauthorized activity. The hospital has also provided instructions on how to place a fraud alert or security freeze on credit files, as well as how to request free credit reports from the major credit bureaus.

Given the sensitive nature of the exposed information—including both PII and PHI—it is especially important for affected patients to monitor their medical records and health insurance statements for any unfamiliar activity. The hospital’s consumer notice, which will be available at the bottom of this article’s page, offers additional resources and step-by-step guidance for protecting your information.

The breach was disclosed to the New Hampshire Attorney General’s office on April 14, 2025, as shown in the official AG disclosure. The hospital also posted a public announcement on its corporate compliance page.

For more information about the hospital, visit the Claxton-Hepburn Medical Center website.