Excel Fitness Consolidator LLC recently reported a data breach potentially compromising sensitive personal identifiable information (PII) of an unknown number of individuals, resulting from breached employee email accounts.
Excel Fitness, a Texas-based franchisee of Planet Fitness operating over 160 locations across several states, disclosed a data breach to the New Hampshire Attorney General. On or around January 17, 2025, the company detected unauthorized access to some employee email accounts.
The breach occurred intermittently between September 16, 2024, and January 18, 2025. After an investigation was completed on July 9, 2025, Excel Fitness confirmed the exposure of sensitive personal information, including names and Social Security numbers.
Notification letters began mailing on August 8, 2025, along with offers for 12 months of complimentary credit monitoring for affected individuals.
In the official breach notice filed with the New Hampshire Attorney General, Excel Fitness stated it “took immediate action to address and investigate the event, which included engaging third-party specialists to assist with determining the nature and scope of the incident.”
Furthermore, the company offers affected individuals 12 months of complimentary credit monitoring services.
Employee email accounts are often targeted during data breaches because they can be accessed remotely and contain sensitive customer and employee data. Breaches involving personal identifiable information can lead to identity theft, financial fraud, and loss of consumer trust.
Since the fitness industry handles health-related data, these organizations must improve their email security. More specifically, these organizations must use a HIPAA compliant email solution, like Paubox, to prevent such data breaches.
Related: HIPAA compliance in wearable devices
A breach occurs when an unauthorized party gains access to, uses, or discloses protected health information (PHI) without permission. Examples of breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.