Service Provider Breach Hits Vitas Hospice, Nearly 320,000 Individuals Affected

Vitas Hospice Services in Florida said a service-provider breach earlier this year exposed the sensitive data of its current and former patient data, prompting a review of its security practices.

 

Headquartered in Miami, Florida, Vitas Hospice Services is one of the nation’s largest end-of-life care providers, delivering hospice and palliative support to terminally ill patients and their families in homes and care facilities.

 

In a data security incident notice published on its website, Vitas said that on October 24 it became aware that an unauthorised third party had compromised a vendor’s account and used it to access certain Vitas systems. The care provider immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“The investigation determined that the unauthorised party accessed certain VITAS systems between approximately September 21 and October 27, 2025. In the course of that activity, the unauthorised party was able to access and download personal information about some of our patients and former patients,” Vitas said.

 

The compromised data included names, addresses, dates of birth, phone numbers, Social Security numbers, driver’s license numbers, next of kin contact information, medical information, insurance information and other personal information. 

 

The incident was reported to the U.S. Department of Health and Human Services Office for Civil Rights where Vitas said it has identified at least 319,177 individuals impacted by the incident.

 

“We take this matter very seriously and have taken additional steps to reduce the risk of a similar incident occurring in the future. We are working with a leading cybersecurity firm to assist with our investigation and analysis, and we are reviewing and strengthening our vendor oversight and data protection protocols. We also notified law enforcement of this incident,” Vitas added.

 

While the hospice found no evidence of the compromise data being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. 

 

It has also offered complimentary identity protection and credit monitoring services to all affected individuals.