Skip to main content
A graphic showing different healthcare related items and how they are interconnected

Patriot Outpatient & Supportive Home Health Data Breach

Written by Joseph Lyon on . Posted in Data Breach.

Home health patients in Ohio trusted Patriot Outpatient LLC and Superior Care Plus LLC — doing business as Supportive Home Health — with some of their most sensitive information. In January 2026, the two affiliated Ohio healthcare providers disclosed a data breach that exposed protected health information belonging to 1,415 patients across the United States.

The breach traces back to a phishing email attack first detected in November 2025 — and the gap between discovery and disclosure raises serious questions about how quickly affected patients were warned. If you received care from Patriot Outpatient or Supportive Home Health, contact our data breach lawyers to discuss your options. 

How the Patriot Outpatient Breach Happened

On November 17, 2025, Patriot Outpatient LLC detected suspicious activity within its computer systems. An internal investigation confirmed that a phishing email had successfully compromised an employee email account, allowing an unauthorized party to access certain patient information stored within that account.

The company engaged an outside cybersecurity firm to conduct a forensic investigation. That investigation concluded on January 9, 2026, confirming that specific emails and files had been accessed and viewed without authorization. Patriot disclosed the breach to the U.S. Department of Health and Human Services on January 16, 2026, and posted a notice on its website.

The root cause — a single compromised email account — reflects a pattern seen across hundreds of healthcare breaches annually. Phishing attacks succeed when organizations lack adequate email security controls, employee training protocols, and multi-factor authentication safeguards. When those defenses fail, patients pay the price.

Who Are These Companies?

Patriot Outpatient LLC and Superior Care Plus LLC dba Supportive Home Health are Ohio-based healthcare providers operating under the Patriot at Home umbrella. Patriot provides physical therapy, occupational therapy, skilled nursing, and primary care services to patients in their homes — the kind of vulnerable, Medicare-certified population that requires and deserves the highest standard of data protection. The organization serves patients across the Akron, Youngstown/Warren, and Cincinnati areas.

What Patient Information Was Exposed?

While the full scope of compromised data varies by individual, the types of information potentially accessed in this breach may include:

  • Full name and home address
  • Date of birth
  • Social Security number
  • Medical records and treatment details
  • Protected health information (PHI)
  • Health insurance information

For home health patients — many of whom are elderly or managing serious medical conditions — exposure of this data creates heightened risk. Medical identity theft, fraudulent insurance billing, and targeted financial scams are all documented downstream consequences of healthcare breaches of this type.

The Timeline Problem: 53 Days From Discovery to Disclosure

One of the most significant legal issues in this case is timing. Patriot detected suspicious activity on November 17, 2025. The forensic investigation concluded January 9, 2026. HHS was notified January 16 — a gap of 60 days from initial detection to federal disclosure, landing precisely at the outer boundary of HIPAA’s 60-day notification requirement.

For patients, that 53-day window between discovery and formal disclosure meant nearly two months of unknowing exposure — unable to freeze their credit, monitor for fraudulent medical claims, or take any protective action. Whether the pace of notification meets the legal standard of “without unreasonable delay” is a question with real legal significance.

Why Hire The Lyon Firm for This Case?

Healthcare data breach litigation requires attorneys who understand HIPAA’s technical requirements, the forensic evidence underlying breach claims, and the legal theories most effective in holding providers accountable.

The Lyon Firm focuses exclusively on data privacy and security law. We represent individuals whose most sensitive personal and medical information has been exposed through corporate negligence, inadequate security practices, or delayed notification. We have pursued breach claims against healthcare organizations, insurers, and third-party vendors — and we know what it takes to build a compelling case.

We offer a free, no-obligation case evaluation. We will tell you honestly whether we believe you have a viable claim and what pursuing it could look like. We don’t accept cases we don’t intend to fight, and we don’t treat breach victims as a volume exercise.

If Patriot Outpatient or Supportive Home Health failed to protect your data, contact The Lyon Firm. Your health information deserves the same level of care these companies promised — and failed — to provide.