Endue Software Data Breach Exposes Sensitive PII and PHI

On March 31, 2025, Endue Software discovered a data breach that occurred on February 18, 2025. The incident affected approximately 118,028 individuals across the United States, including 54 residents in the state of Maine.

During the breach, unauthorized individuals gained access to sensitive consumer information stored within Endue Software's systems. The compromised data included personally identifiable information (PII) and protected health information (PHI), specifically individuals' full names, addresses, Social Security numbers, dates of birth, and medical record numbers. The exposure of such sensitive information can potentially lead to identity theft, fraud, or other privacy-related risks.

At this time, Endue Software has not publicly disclosed specific details regarding how the unauthorized access occurred or who was responsible for the breach. Investigations into the incident are ongoing, and the company is working with cybersecurity experts and authorities to understand the full scope and implications of the breach.

What happened?

On February 18, 2025, an unauthorized party accessed Endue Software's internal systems, resulting in a significant data breach. The breach was not discovered until March 31, 2025, leaving sensitive consumer data potentially exposed for more than a month. The compromised information included highly sensitive personal data such as full names, addresses, Social Security numbers, dates of birth, and medical record numbers. This combination of PII and PHI could enable identity theft, financial fraud, or misuse of medical information.

Endue Software reported the breach to regulatory authorities, including the Maine Attorney General's office and the Vermont Attorney General's office, on April 14, 2025. The company also notified affected consumers through written notices on April 11, 2025.

Endue Software has publicly posted detailed notices about the breach on their website, available at their Notice of Data Privacy Event. Additionally, official disclosures regarding the breach can be found on the websites of the Maine Attorney General and the Vermont Attorney General.

Endue Software's response

Upon discovering the breach, Endue Software immediately launched an investigation with cybersecurity experts to secure their systems and prevent further unauthorized access. The company has taken steps to strengthen its information security measures and is cooperating fully with law enforcement and regulatory authorities.

Endue Software has notified all affected individuals via written notices, informing them of the specific information that was compromised and providing guidance on how to protect themselves against identity theft and fraud. Given the sensitive nature of the exposed information, affected individuals are encouraged to remain vigilant by reviewing their financial statements and credit reports closely.

The company has recommended that affected individuals consider placing fraud alerts or credit freezes on their credit files. Additionally, individuals should monitor their medical records and insurance statements closely for any unauthorized activity or charges. If suspicious activity is detected, affected individuals should promptly report it to their financial institutions, healthcare providers, and local law enforcement.

About Endue Software

Endue Software is a healthcare-focused software company specializing in infusion operations management. Founded in 2022 and headquartered in Brooklyn, New York, the company offers solutions designed specifically for infusion therapy providers. Endue Software's platform streamlines patient intake, scheduling, inventory management, and team communications, aiming to improve operational efficiency and patient satisfaction.

The company was co-founded by Brian Brett, who serves as CEO, and Thi-Duong Nguyen, who serves as CTO. Endue Software recently raised $3 million in funding and maintains partnerships with healthcare organizations such as the National Infusion Center Association. The company's platform is compliant with HIPAA and SOC 2 Type 1 standards and is hosted securely on the Google Cloud Platform.