Back

Minnesota Epilepsy Group and ECBM Data Breaches Prompt Class Action Investigations

Severity: Medium (Score: 51.9)

Sources: Classaction

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: data, breach, attorneys, minnesota, epilepsy, group, ecbm

Severity indicators: breach, data breach, ot

Summary

Two significant data breaches have been reported: the Minnesota Epilepsy Group and ECBM. The Minnesota Epilepsy Group breach was discovered on April 7, 2026, with unauthorized access occurring between March 19 and April 10, exposing personal and medical information of affected individuals. Notification letters were sent out starting June 5, 2026. Meanwhile, ECBM, an insurance company, detected suspicious activity on October 25, 2024, with unauthorized access occurring from October 19 to 25, compromising sensitive personal and financial data. Both organizations are now facing potential class action lawsuits as attorneys seek to hear from affected individuals. The breaches have raised concerns about data protection practices in the healthcare and insurance sectors. Key Points: • Minnesota Epilepsy Group reported a data breach affecting personal and medical information. • ECBM disclosed a breach involving sensitive financial and health data from 2024. • Both organizations are under investigation for potential class action lawsuits.

Detailed Analysis

**Impact** The Minnesota Epilepsy Group data breach affected patients from three clinics and partner hospitals in Minnesota, exposing names, addresses, dates of birth, Social Security numbers, medical treatment, and health insurance information. The breach occurred between March 19 and April 10, 2026, with notifications sent starting June 5. The ECBM breach impacted individuals insured by this Pennsylvania-based company, with exposure of names, Social Security numbers, health insurance, financial account information, driver’s license numbers, and medical data. ECBM’s breach occurred between October 19 and 25, 2024. Both incidents risk identity theft, financial fraud, and privacy loss for affected individuals. **Technical Details** Both breaches involved unauthorized access to internal systems over extended periods (Minnesota Epilepsy Group: ~3 weeks; ECBM: ~1 week). Investigations involved forensic and cybersecurity specialists but no specific attack vectors, malware, exploited CVEs, or infrastructure details were disclosed. The breaches correspond to unauthorized access and data exfiltration stages of the kill chain. No IOCs or technical indicators were provided in the source articles. **Recommended Response** Organizations should monitor for unauthorized access attempts and unusual network activity indicative of lateral movement or data exfiltration. Implement strict access controls and conduct regular audits of privileged accounts. Since no specific vulnerabilities or malware were identified, focus on enhancing detection capabilities for anomalous behavior and ensure timely notification and support for affected individuals. Defenders should also prepare for potential legal and reputational impacts by documenting incident response and remediation efforts.

Source articles (2)

  • ECBM Data Breach Reported; Attorneys Investigating — Classaction · 2026-06-08
    Attorneys working with ClassAction.org are looking into whether a class action lawsuit can be filed in light of the ECBM data breach. As part of their investigation, they need to hear from individuals…
  • Minnesota Epilepsy Group Data Breach — Classaction · 2026-06-08
    Attorneys working with ClassAction.org are looking into whether a class action lawsuit can be filed in light of the Minnesota Epilepsy Group data breach. As part of their investigation, they need to h…

Timeline

  • 2024-10-25 — ECBM breach detected: ECBM reported suspicious activity and confirmed unauthorized access to its systems between October 19 and 25, 2024.
  • 2026-04-07 — Minnesota Epilepsy Group breach discovered: Unauthorized access was detected, with investigations revealing data exposure from March 19 to April 10, 2026.
  • 2026-05-18 — Compromised data analysis completed: Analysis confirmed exposure of names, Social Security numbers, and medical information for individuals affected by the breach.
  • 2026-06-05 — Notification letters mailed to affected individuals: Minnesota Epilepsy Group began notifying individuals whose data may have been compromised.
  • 2026-06-08 — Class action investigations announced: Attorneys are seeking individuals affected by both breaches to potentially file class action lawsuits.

Related entities

  • Data Breach (Attack Type)
  • ECBM (Company)
  • Minnesota Epilepsy Group (Company)
  • classaction.org (Domain)
  • Financial (Industry)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed