Woundtech Data Breach Exposes SSNs, Medical Records, and Clinical Images of Wound Care Patients

A data breach at Wound Technology Network, Inc. — better known as Woundtech — has exposed some of the most sensitive categories of personal information imaginable: Social Security numbers, clinical notes, medical diagnoses, treatment details, health insurance data, and even clinical wound images belonging to patients across the company’s multi-state healthcare network.

The Fort Lauderdale, Florida-based company, which has been providing specialized mobile wound care since 1999, disclosed the breach on March 16, 2026, revealing that unauthorized access to its systems occurred over a four-day window in early December 2025. The breach was reported to the Texas Attorney General’s Office on March 17, 2026, with at least 3,809 Texas residents confirmed as affected.

But the official notification tells only part of the story. On February 1, 2026 — more than a month before Woundtech completed its internal review — a threat actor operating under the name FulcrumSec publicly claimed responsibility for the attack, alleging they had stolen 3.8 terabytes of data impacting more than 160,000 patients.

If those claims are accurate, this breach is far larger and far more damaging than the initial regulatory filings suggest.

What Happened: A Four-Day Intrusion Window

According to Woundtech’s official breach notice, the timeline unfolded as follows:

December 6, 2025: Woundtech detected unusual activity in its network environment and immediately launched an investigation, retaining a third-party cybersecurity firm to conduct a forensic review.
December 6–9, 2025: The investigation determined that an unauthorized individual may have copied certain information from Woundtech’s systems during this four-day window.
December 31, 2025: The forensic investigation confirmed that data had been accessed and potentially exfiltrated.
March 2, 2026: Woundtech completed its review to identify the affected individuals and the types of information compromised.
March 16, 2026: The company began mailing notification letters to affected individuals and posted a public notice on its website.
March 17, 2026: The breach was reported to the Texas Attorney General.

The three-month gap between the initial intrusion and the completion of Woundtech’s review raises questions about the complexity of the incident — or the company’s capacity to respond to it. For patients whose data was compromised in December, three months of exposure without notification represents a significant window of vulnerability.

What Was Exposed: A Healthcare Data Nightmare

The types of personal and medical information compromised in this breach read like a checklist of everything a cybercriminal could want for identity theft, medical fraud, and extortion:

Full names (first and last)
Dates of birth
Telephone numbers
Gender
Social Security numbers (described by Woundtech as “a very limited amount”)
Clinical notes
Medical health information
Medical treatment information
Medical diagnosis information
Health insurance information
Medical treatment images

That last category deserves particular attention. Woundtech is a wound care specialist — the clinical images in question are photographs of patients’ wounds, taken as part of the treatment documentation process. These are among the most intimate and sensitive forms of medical imagery, and their exposure represents a profound violation of patient privacy that goes well beyond typical data breach scenarios.

Healthcare data is already the most expensive category of breached information, costing an average of $7.42 million per incident according to IBM’s 2025 Cost of a Data Breach Report — the highest of any industry sector. The inclusion of clinical images and detailed treatment records in this breach elevates the potential harm significantly.

FulcrumSec’s Claims: 3.8 Terabytes and 160,000+ Patients

The official notifications filed with state regulators paint a relatively constrained picture: 3,809 affected Texas residents, with the total national count yet to be publicly confirmed. But the threat actor’s claims suggest a breach of vastly greater magnitude.

On February 1, 2026, FulcrumSec posted details on the open web claiming responsibility for the Woundtech breach. According to their posting, the stolen data included:

3.8 terabytes of total data
Records affecting more than 160,000 patients
4.6 million clinical notes
Electronic medical record (EMR) files
Approximately 85,000 referral documents containing full protected health information (PHI)
Roughly 93,000 clinical wound images

These claims have not been independently verified, and Woundtech has not publicly addressed them. However, the specificity of the claims — particularly the breakdown by document type — suggests the threat actor has at least some familiarity with the stolen data set.

Who Is FulcrumSec?

FulcrumSec is a relatively new but increasingly active threat actor group that has been claiming high-profile breaches in 2026. Their known or claimed attacks include:

youX (formerly DRIVE IQ): In February 2026, FulcrumSec allegedly exfiltrated approximately 300 GB of data from the Australian FinTech platform, impacting over 444,000 borrowers.
LexisNexis Legal & Professional: On March 3, 2026, FulcrumSec claimed responsibility for breaching LexisNexis, alleging the theft of 2.04 GB of structured data from the company’s Amazon Web Services infrastructure.
Avnet: FulcrumSec has also claimed compromise of the electronics manufacturer, reaching out directly to security researchers about the incident.

The group’s tactics appear to focus on exploitation of unpatched vulnerabilities and cloud misconfigurations, followed by public shaming through data leaks. Unlike traditional ransomware operators, FulcrumSec has not been consistently associated with ransomware deployment or encryption — their model appears to lean more toward pure data theft and extortion.

The targeting pattern — a FinTech platform, a legal data giant, an electronics manufacturer, and now a healthcare company — suggests an opportunistic group that prioritizes high-value data over industry-specific targeting.

About Woundtech: A Critical Healthcare Provider

Understanding the scope of this breach requires understanding what Woundtech does and who it serves.

Wound Technology Network, Inc. was founded in 1999 (formerly known as PodiCare Services) and is headquartered in Hollywood, Florida. The company specializes in advanced mobile wound care, delivering evidence-based treatment directly to patients in their homes, skilled nursing facilities, assisted living communities, long-term acute care facilities, and group homes.

Woundtech partners with dozens of hospitals and healthcare providers across several states, serving as a specialized extension of their wound care capabilities. The company uses a proprietary telehealth platform and clinical tools to manage treatment, with a focus on chronic and complex wounds — including diabetic ulcers, pressure injuries, surgical wounds, and venous insufficiency.

The patient population served by Woundtech tends to be elderly, homebound, or residing in care facilities — individuals who are often among the most vulnerable to the consequences of identity theft and fraud. Many are Medicare or Medicaid beneficiaries who may lack the resources and awareness to monitor for identity misuse or navigate the credit freeze process.

The company claims healing rates more than 60% faster than industry averages, and its model specifically targets underserved communities where access to specialist wound care is limited. This makes the breach particularly troubling: the very populations Woundtech was designed to serve are now the ones most at risk from its security failure.

The HIPAA Dimension

As a healthcare entity that handles protected health information (PHI), Woundtech is subject to the Health Insurance Portability and Accountability Act (HIPAA). The types of data compromised in this breach — clinical notes, diagnoses, treatment information, health insurance details, and medical images — are all categories of PHI that HIPAA was specifically designed to protect.

Under the HIPAA Breach Notification Rule, covered entities must notify affected individuals “without unreasonable delay and in no case later than 60 days from the discovery of the breach.” Woundtech detected the unusual activity on December 6, 2025, and began mailing notifications on March 16, 2026 — approximately 100 days later.

The company may argue that it did not confirm the breach until December 31, 2025, bringing the notification timeline to approximately 75 days. Even by this measure, the notification was close to or beyond the HIPAA 60-day deadline, depending on how “discovery” is interpreted.

If the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) determines that Woundtech failed to comply with HIPAA’s notification requirements or lacked adequate safeguards, the company could face significant penalties. HIPAA violations can result in fines ranging from $141 to $2,134,831 per violation, with an annual maximum of $2,134,831 per violation category.

For a breach potentially affecting 160,000+ patients — if FulcrumSec’s claims are accurate — the regulatory and legal exposure could be substantial.

The Lawsuit Pipeline

Multiple law firms have already launched investigations into potential class action litigation against Woundtech. ClassAction.org reported on March 17, 2026, that attorneys are seeking to hear from affected individuals to determine whether a class action can be filed. Shamis & Gentile P.A., a firm specializing in data breach class actions, has also announced its investigation.

In healthcare data breach lawsuits, plaintiffs typically allege:

Negligence in failing to implement adequate security measures
Breach of fiduciary duty in mishandling entrusted personal information
Violation of state consumer protection statutes (such as the Texas Deceptive Trade Practices Act, given the Texas AG filing)
Violation of HIPAA (though HIPAA does not provide a private right of action, it is often cited as the standard of care)
Unjust enrichment — the argument that Woundtech profited from collecting patient data while failing to protect it

Damages sought in these cases typically include compensation for credit monitoring costs, time spent dealing with the breach, emotional distress, and the ongoing risk of identity theft and medical fraud.

Given the inclusion of clinical wound images — which could potentially be used for extortion or public humiliation — affected plaintiffs may have unusually strong claims for emotional distress damages.

Medical Identity Theft: A Growing Threat

The Woundtech breach highlights a particularly dangerous form of fraud: medical identity theft. When criminals obtain medical records, insurance information, and Social Security numbers together, they can:

File fraudulent insurance claims using stolen health insurance details
Obtain prescription medications under a victim’s identity
Receive medical treatment using stolen information, potentially corrupting the victim’s own medical records with incorrect diagnoses, blood types, or allergies — a situation that can become life-threatening
Submit fraudulent tax returns using stolen SSNs
Open new credit accounts or take out loans using the comprehensive identity profile assembled from the breach data

Medical identity theft is particularly insidious because victims often don’t discover it for months or years — unlike a stolen credit card, a compromised medical record doesn’t trigger an immediate alert. The Federal Trade Commission (FTC) estimates that resolving medical identity theft takes an average of 200+ hours and costs victims an average of $13,500 in out-of-pocket expenses.

For Woundtech patients — many of whom are elderly, homebound, or medically fragile — the burden of monitoring for and responding to medical identity theft is especially onerous.

What Affected Individuals Should Do

If you received a breach notification letter from Woundtech, or believe your information may have been compromised, the following steps are recommended:

Immediate Actions

Place a credit freeze with all three major credit bureaus:
- Equifax: 1-888-298-0045
- Experian: 1-888-397-3742
- TransUnion: 1-800-916-8800
Request a fraud alert — An initial fraud alert lasts one year and requires businesses to verify your identity before extending new credit.
Review your Explanation of Benefits (EOB) statements from your health insurance provider for any services, procedures, or treatments you did not receive.

Ongoing Monitoring

Monitor your credit reports — Under federal law, you are entitled to one free credit report annually from each bureau at AnnualCreditReport.com or by calling 1-877-322-8228.
Watch for phishing attempts — Scammers frequently exploit publicized data breaches by sending messages that reference the affected company by name.
Call Woundtech’s dedicated assistance line at 833-297-3496 (Monday–Friday, 8 AM–8 PM ET) if you did not receive a letter but want to check your status.

If You Suspect Fraud

File a complaint with the FTC at identitytheft.gov or by calling 1-877-438-4338.
File a police report if you discover unauthorized use of your information.
Contact your state attorney general for additional guidance and resources.

The Bigger Picture: Healthcare Under Siege

The Woundtech breach is part of a relentless wave of cyberattacks targeting the healthcare sector. According to IBM’s 2025 Cost of a Data Breach Report, healthcare remains the most expensive industry for data breaches at $7.42 million per incident — a figure that has remained consistently at the top of all sectors for over a decade.

The reasons are straightforward: healthcare data is extraordinarily valuable on the dark web. A complete medical record can sell for $250 to $1,000, compared to $1–$5 for a stolen credit card number. Medical records contain the holy trinity of identity theft: personal identifiers (name, DOB, SSN), financial information (insurance details, billing data), and health information (diagnoses, treatments) — all in one convenient package.

For organizations like Woundtech — which operate at the intersection of technology and patient care, handling sensitive data across a distributed network of care settings — the cybersecurity challenge is immense. The company’s mobile care model, while innovative and beneficial for patients, also creates a broader attack surface: data flows between patient homes, care facilities, telehealth platforms, and the central network, with each touchpoint representing a potential vulnerability.

The question for the healthcare industry is not whether more breaches will occur, but whether organizations are investing adequately in the security infrastructure needed to protect the sensitive data they collect. For the patients of Woundtech, that question has already been answered — and the answer came three months too late.

Timeline Summary

Date	Event
1999	Woundtech (as PodiCare Services) founded in Florida
December 6, 2025	Unusual network activity detected; investigation launched
December 6–9, 2025	Unauthorized access window — data potentially copied
December 31, 2025	Forensic investigation confirms data exfiltration
February 1, 2026	FulcrumSec claims responsibility, alleging 3.8TB stolen from 160K+ patients
March 2, 2026	Woundtech completes review of affected individuals
March 16, 2026	Notification letters begin mailing; public notice posted
March 17, 2026	Breach reported to Texas Attorney General (3,809 TX residents)
March 2026	Multiple law firms launch class action investigations

If you were affected by the Woundtech data breach, we recommend consulting with a data breach attorney to understand your legal options. This article is for informational purposes only and does not constitute legal advice.

Sources: