Arkansas Primary Care Data Breach
Arkansas Primary Care Clinic Breach (2025): Patient SSN & Home Address Exposed
Primary care medical practice.
Risk Interpretation
High risk of identity theft, medical fraud, and privacy harm. Primary care data can also support treatment-themed phishing and insurance scams.
Impact & Downstream Threats
The institutional impact on Arkansas Primary Care is significant relative to the practice's size as a small regional primary-care clinic. Federal HIPAA notification obligations, an Office for Civil Rights review, Arkansas attorney-general filings, and emerging class-action litigation discussions are all underway. INC Ransom's listing of the practice and threatened publication of the stolen 15 GB dataset creates direct evidence of broad data exposure. As a small independent practice with limited
- Identity theft and synthetic identity construction using government-issued IDs
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat Vectors
Breach Intelligence
Executive Summary
Arkansas Primary Care Clinic, PA, a primary-care medical practice in Little Rock, Arkansas, suffered a ransomware attack in late April 2025 carried out by the INC Ransom ransomware-as-a-service group. The attackers claimed to have exfiltrated approximately 15 gigabytes of data before deploying ransomware on the clinic's systems. INC Ransom listed the practice on its dark-web leak site and threatened to publish the stolen data unless ransom demands were met. The breach was indexed by breach-tracking services in early July 2025.
The breach affected approximately 26,000 individuals based on records indexed by breach-tracking services. Compromised fields included Social Security numbers, email addresses, phone numbers, and home addresses. As a primary-care clinic, the underlying records exfiltrated by the attackers also include patient identity, insurance, billing, clinical, diagnostic, and treatment information typical of a long-term primary-care relationship, beyond the more limited field set surfaced publicly.
For affected patients, the practical risk profile combines identity-fraud exposure with primary-care-specific risks. The combination of name, address, and Social Security number is a strong base for synthetic identity fraud and fraudulent credit applications. Inclusion in the dataset confirms a primary-care relationship that often spans years of medical records and may include sensitive diagnoses, prescription histories, and insurance information. Patients should treat unsolicited contact referencing Arkansas Primary Care or any past primary-care visit with caution. Affected individuals should freeze credit at all three U.S. bureaus, monitor health-insurance statements for unfamiliar charges, and remain alert to phishing attempts referencing real medical history details that may have been included in the stolen archive.
About Arkansas Primary Care
Arkansas Primary Care Clinic, PA is a primary-care medical practice based in Little Rock, Arkansas, providing routine and family medical services to patients across central Arkansas. The clinic operates as a roughly 30-employee independent practice with approximately $6.8 million in annual revenue, typical of a regional primary-care operation. Services include general primary care, preventive medicine, routine examinations, and management of common chronic conditions. As a HIPAA-regulated primary-care provider, Arkansas Primary Care maintains patient identity, contact, insurance, billing, appointment, and clinical records across its routine medical-service workflows, alongside diagnosis, treatment, and prescription information typical of a primary-care relationship that often spans many years.
Why They Hold Your Data
Primary care clinic networks collect patient identity, contact, insurance, billing, appointment, and clinical records across routine medical-service workflows.
Recent Developments
Arkansas Primary Care was attacked by the INC Ransom ransomware group in late April 2025. The attackers claimed to have exfiltrated approximately 15 GB of data before deploying ransomware on the clinic's systems and subsequently listed the practice on the INC Ransom dark-web leak site. The breach was indexed by breach-tracking services in early July 2025. Class-action investigations by U.S. plaintiff law firms began organizing in mid-2025 following the initial disclosure. INC Ransom has been an active ransomware-as-a-service operation throughout 2024 and 2025 with multiple healthcare-sector victims, including Mount Rogers Community Services Board.
Data Points Exposed
Exposure Categories
Canonical Fields
email_address, phone_number, physical_address:home, ssn
Dark Web Verification
- Dataset containing ~26K records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: arkansasprimarycare-com-2025
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Arkansas Primary Care
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam