Lynch Carpenter, LLP announced on December 23, 2025 that it is investigating potential legal claims arising from a data breach involving Fyzical Acquisition Holdings, LLC, the parent company of Fyzical Therapy & Balance Centers, which operates more than 600 locations across 46 states.
According to the firm, the incident involved unauthorized access to Fyzical’s network in August 2024. an event that may have resulted in the exposure of personally identifiable information (PII) and protected health information (PHI) belonging to an unknown number of individuals. Lynch Carpenter stated that the information potentially implicated in the incident includes individuals’ names in combination with sensitive data elements.
The incident dates to December 9, 2024, when the company became aware of unusual activity within its email environment, prompting an internal investigation. The investigation determined that some email data may have been viewed or copied without authorization.
Fyzical then undertook a comprehensive review of the affected email data to determine what information was involved and which individuals were impacted, a process that concluded on November 25, 2025. The company later confirmed that the potentially affected information varied by individual. Fyzical issued a formal website notice dated December 19, 2025.
The notice offers, “Upon becoming aware, we promptly began an investigation to learn more about what happened. That investigation found that that some email data may have been viewed or copied without authorization as part of the event.”
The Fyzical Acquisition Holdings, LLC incident falls on the lower-to-moderate end of email-related healthcare data breaches, particularly when compared to severe cases like the 2024 Wayne Memorial Hospital breach in Georgia, where a single compromised email account escalated into a full external system breach, prolonged operational shutdown, and large-scale data theft.
Unlike the Wayne Memorial Hospital incident, where attackers moved laterally from email access into broader systems between May 30 and June 3, 2024, affecting 163,440 individuals and resulting in a terabyte-scale data exfiltration, Fyzical did not report a system-wide compromise, ransomware deployment, or operational shutdown. Instead, the Fyzical breach aligns with a common healthcare breach pattern in which email accounts serve as the initial and sole point of exposure.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
An email-related data breach occurs when unauthorized parties gain access to email accounts or messages containing sensitive information.
Most email breaches result from phishing attacks, stolen credentials, or weak authentication controls rather than sophisticated malware.
Healthcare organizations rely heavily on email to share patient and billing information, making inboxes a frequent target for attackers.