IPPC breach affects 133,862 people across long-term care network

Innovative Pharmacy Packaging Corp., together with IPPC of New York LLC and Innovative Pharmacy LLC, admitted it discovered suspicious activity on its technical network, which led to systems being put offline during the investigation

.

What happened

The company determined that an unknown actor accessed its network during a limited window and that files were copied and potentially viewed during that time. It then reviewed the affected files to identify the information involved and the individuals impacted, stating its preliminary review was completed before notifications were issued.

The company also said it notified federal law enforcement and relevant regulators, while its individual notification letter says it was not aware of identity theft or fraud tied to the incident at the time of notice and that affected people were offered 24 months of monitoring services. Federal regulators separately list the event on the HHS OCR breach portal as a February 27, 2026, submission involving 133,862 individuals, classified as a hacking and IT incident affecting a network server.

What was said

The breach notification letter stated, “IPPC became aware of suspicious activity involving our technical network. We promptly took systems offline and began an investigation. The investigation determined that the network had been accessed by an unknown actor between September 18, 2025, and September 19, 2025, and during this time files were copied and potentially viewed. As a result, IPPC conducted a detailed review of the files to determine the type of information present and to whom it relates. This process was completed on or around February 9, 2026.”

Why it matters

According to the company’s public notice, IPPC operates as a long-term-care pharmacy serving long-term-care settings and communities, which helps explain how a brief intrusion could still reach 133,862 individuals across a wide network of patients and facilities. In that sense, the incident is less of a contained breach at a single healthcare provider and more of a large-scale third-party event that can spread across multiple organizations at once. Paubox’s 2025 Healthcare Email Security Report adds that only 1.1% of healthcare organizations had a low-risk email security posture.

Broader industry data shows the same pattern. One BioData Mining review found that healthcare breaches exposed more than 133 million records in 2023 alone, with hacking and ransomware driving nearly 80% of incidents.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

Does a short intrusion always mean limited harm?

No, even a short break-in can cause serious harm if the attacker gets into a system that stores a lot of sensitive information.

Why do companies review files after a breach?

They do it to understand what was exposed, how many people may be affected, and who needs to be contacted.

Why can breach investigations take time?

These investigations are rarely quick. Teams usually have to trace what happened, review large volumes of files, and work out exactly which people were affected before they can send accurate notices.