Brown Health Medical Group-MA (Lifespan Physician Group of Massachusetts, Inc.) Data Breach Class Action Lawsuit Investigation

Data breach law firm Abington Cole + Ellery is investigating potential legal claims related to the Brown Health Medical Group-MA / Lifespan Physician Group of Massachusetts, Inc. data breach, which reportedly affected at least 290,000 individuals and may have exposed Social Security numbers, medical or health records, financial-account information or account codes, credit and debit card information, driver’s-license numbers, and other government-issued identification numbers.


JOIN THIS INVESTIGATION: If you are interested in potentially volunteering to serve as a class representative in a class action lawsuit against Brown Health Medical Group-MA, please submit your information to be considered:

You may also open the form here: Brown Health Medical Group-MA Data Breach Lawsuit Form. An attorney-client relationship is not formed by submitting information through this website.

Brown Health Medical Group-MA Data Breach: Key Facts

Company: Brown Health Medical Group-MA (Lifespan Physician Group of Massachusetts, Inc.)
Location: Massachusetts / Rhode Island
Incident Type: Undisclosed
Number Affected: At least 290,000
Data Involved: Social Security numbers, medical or health records, financial-account information or account codes, credit and debit card information, driver’s-license numbers, and other government-issued identification numbers
Date Began: Undisclosed
Date Discovered: Undisclosed
Date Ended: Undisclosed
Notice Date: July 16, 2026
Credit Monitoring: Undisclosed
Status: Class Action Lawsuit Investigation


What happened in the Brown Health Medical Group-MA data breach?

Lifespan Physician Group of Massachusetts, Inc., which does business as Brown Health Medical Group–Massachusetts, recently reported a data breach involving sensitive personal, financial, and medical information. (Brown Health Medical Group-MA is the organization’s current public-facing name, while Lifespan Physician Group of Massachusetts remains its underlying legal name. The naming reflects the broader rebranding of the Lifespan health system as Brown University Health.)

Brown Health Medical Group-MA reported the data breach to Massachusetts authorities on July 16, 2026, under breach report number 2026-1151. The Massachusetts filing states that 290,357 residents of the Commonwealth were affected. A separate filing identified 86 affected Vermont residents. Based on those two disclosures, the Brown Health Medical Group-MA data breach affected at least 290,443 people, although a complete nationwide total has not been publicly confirmed.

The compromised information may have included Social Security numbers, medical and health records, financial-account information, credit and debit card information, driver’s-license numbers, and other government-issued identification numbers. The particular information exposed may differ among affected individuals, and the public filings do not establish that every category was involved for every person.

Brown Health Medical Group-MA has not publicly explained how the breach occurred. Available records do not identify whether the incident resulted from ransomware, phishing, compromised credentials, a software vulnerability, employee error, or another cause. The organization also has not disclosed when the unauthorized access began or ended, when it discovered the incident, or how long the affected information may have been exposed. Accordingly, July 16, 2026, should be described as the date the breach was reported—not necessarily the date it occurred or was discovered.

Affected individuals reportedly began receiving notice around the time of the regulatory disclosures. However, publicly available records do not confirm whether Brown Health Medical Group-MA offered complimentary credit monitoring or identity-theft protection services. Individuals who received a notification letter should review it carefully for details about the information involved, any available protection services, enrollment instructions, and applicable deadlines.


How did the Brown Health Medical Group-MA breach occur?

Brown Health Medical Group-MA has not publicly disclosed how the data breach occurred. The available regulatory filing does not identify whether the incident involved ransomware, phishing, compromised login credentials, a software vulnerability, an employee error, or another cause. It reports that sensitive personal, financial, and health information was exposed but does not provide the dates of unauthorized access, the discovery date, or technical details about the incident. Therefore, the cause and method of the Brown Health Medical Group-MA breach remain unknown based on currently available information.


When did the Brown Health Medical Group-MA breach occur?

The date of the Brown Health Medical Group-MA data breach has not been publicly disclosed. Available records do not specify when the unauthorized access began or ended, or when Brown Health Medical Group-MA discovered the incident. The earliest confirmed public date is July 16, 2026, when Lifespan Physician Group of Massachusetts, Inc., doing business as Brown Health Medical Group–Massachusetts, reported the breach to the Vermont Attorney General (and Massachusetts) and reportedly began notifying affected individuals.


How many people were affected by the Brown Health Medical Group-MA breach?

The Brown Health Medical Group-MA data breach affected at least 290,443 people, including 290,357 Massachusetts residents and 86 Vermont residents. A complete nationwide total has not yet been publicly confirmed.


What information was exposed in the Brown Health Medical Group-MA breach?

  • The specific information exposed likely varied by individual, so not every category was necessarily involved for every affected person. Breached data reportedly may include, but is not necessarily limited to:
    • Social Security numbers
    • medical or health records
    • financial-account information or account codes
    • credit and debit card information
    • driver’s-license numbers
    • other government-issued identification numbers

Has Brown Health Medical Group-MA offered free credit monitoring and/or identity theft protection services?

It is not currently known whether Brown Health Medical Group-MA offered affected individuals free credit monitoring or identity-theft protection services. Individuals who received a notification letter should review it for any enrollment instructions or activation code.


Brown Health Medical Group-MA data breach timeline:

Date Event
Undisclosed Unauthorized activity began.
Undisclosed Brown Health Medical Group-MA discovered the incident.
Undisclosed Unauthorized activity ended.
Undisclosed Data breach investigation concluded.
July 16, 2026 Brown Health Medical Group-MA began notifying affected individuals.

Who is Brown Health Medical Group?

Brown Health Medical Group-MA is a physician-led medical practice affiliated with Brown University Health that provides primary care, urgent care, behavioral health, and specialty medical services across Rhode Island and southeastern Massachusetts. The organization’s current materials identify Lifespan Physician Group of Massachusetts, Inc. as doing business as Brown Health Medical Group-MA in Massachusetts. Across its regional network, Brown Health Medical Group-MA includes more than 1,500 healthcare providers in fields such as cardiology, surgery, ophthalmology, and psychiatry.

Why the two names? Lifespan Physician Group of Massachusetts, Inc. is the legal corporate entity, while Brown Health Medical Group–Massachusetts is the name under which it does business. In other words, they are not unrelated healthcare providers: Lifespan Physician Group of Massachusetts operates as “Brown Health Medical Group-MA.”

The naming change followed the broader rebranding of the Lifespan health system as Brown University Health in October 2024. “Brown Health Medical Group” now serves as the shared public-facing name for affiliated physician practices, while Lifespan Physician Group of Massachusetts, Inc. remains the underlying legal name appearing in regulatory and breach filings.


What should affected individuals do?

Affected individuals should carefully review and preserve their Brown Health Medical Group-MA notification letter and follow any enrollment instructions for complimentary protection services, if offered. Because Social Security numbers and other identifying information were involved, individuals should consider placing a free credit freeze with Equifax, Experian, and TransUnion and regularly review their credit reports for unfamiliar accounts or inquiries. They should also monitor bank and payment-card statements, promptly report unauthorized transactions, and ask the relevant financial institution whether an exposed account or card number should be replaced.

Because medical records were also affected, individuals should examine medical bills, insurance explanations of benefits, Medicare Summary Notices, prescription histories, and patient-portal records for unfamiliar providers, services, or claims. Any discrepancies should be reported promptly to the healthcare provider and insurer. Affected individuals should also be cautious of unexpected calls, emails, or text messages referring to the breach, particularly communications requesting passwords, payment, Social Security numbers, or medical information. Medical identity theft can create inaccurate healthcare records as well as fraudulent charges, so continued monitoring may be appropriate even if no immediate misuse appears.


Sources and additional information about the data breach:


Class Action FAQ

A class action lawsuit is a case brought on behalf of a group of people who were harmed in a similar way by the same company or organization.

A class representative, sometimes called a named plaintiff or lead plaintiff, is a person who volunteers to bring the lawsuit on behalf of the larger group. They help represent the interests of everyone in the class. There may be more than one class representative in a class action.

A person who was harmed may start a class action if many other people were harmed in a similar way.

Usually, no. In many class action cases, the lawyers are paid only if the case is successful.

Sometimes you do not need to do anything. Other times, you may need to submit a claim form by a deadline to receive money or benefits.


data types, numbers, timeline, dates



About This Data Breach Resource

This page was created to give affected individuals and researchers a clear, comprehensive explanation of the Brown Health Medical Group-MA (Lifespan Physician Group of Massachusetts, Inc.) data breach. It summarizes what is currently known about the incident, including the timeline, how the breach was discovered, the types of information involved, the number of people affected when available, important notice dates, and steps individuals may want to take after receiving a data breach notification.

This resource is independently written and organized to help readers understand the breach without having to review multiple notices, state attorney general filings, company statements, and related materials. When available, this page relies on primary sources and identifies key facts, unanswered questions, and updates as new information becomes public.

This page is especially relevant for readers searching for information about the Brown Health Medical Group-MA data breach, Brown Health Medical Group-MA data breach notice, Brown Health Medical Group-MA class action investigation, what information was exposed, how many people were affected, and what affected individuals should do next.

Abington Cole + Ellery reviews data breach incidents involving sensitive personal information, financial information, and protected health information. This page is intended to help affected individuals understand the publicly reported facts, the types of information that may have been involved, and practical steps that may reduce the risk of identity theft or medical identity theft.

The information on this webpage is provided for general informational purposes only and does not constitute legal advice. Nothing on this page should be relied upon as legal advice for any particular situation. Submitting information through this page does not create an attorney-client relationship.

For more information about steps you can take to possibly reduce the risk harm arising from a data breach, please review the following article: What are some steps you can take if you've been the victim of a data breach?

This website is not associated with nor authorized by Brown Health Medical Group-MA or any affiliated companies. If you have received any other data breach notifications, you may want to review Abington Cole + Ellery's current list of data breach investigations.