On May 5, 2025, Infinite Services in New York became aware of suspicious activity when employees were unable to log into the network. “Several servers were off, but one remained on which had an extension from the threat actor group,” external counsel SpencerFane informed the New Hampshire Attorney General. “The electricity was unplugged from the entire network, interrupting the encryption process. The threat actor was able to log into one of the servers.”
Infinite Services offers a variety of therapies including physical therapy, speech therapy, occupational therapy, counseling, home health services, and ABA. Services are provided in schools, homes, skilled nursing facilities, and assisted living facilities.
On June 23, 2025, Infinite Services determined that some patient and employee personally identifiable information was contained within the server that the threat actors had been able to access. Infinite Services then made a decision that many others might not have made: “In a desire to notify current and former employees, rather than wait on data mining, Infinite Services opted to notify anyone who potentially had information on the server.”
Infinite Service’s website emphasizes that their therapists are their loved ones and that’s how they treat them and their patients. In notifying everyone and offering them complimentary services instead of waiting to determine exactly who needed to be notified, they suited their actions to their words. The information that could have been subject to unauthorized access includes name, address, Social Security number, member identification number, date of birth, and health insurance information.
Caring for their therapists and patients did not extend to caring for the unnamed threat actor(s). “Despite ongoing communication with the threat actors, no ransom was paid and to-date, and there has been no data publication,” the notification to New Hampshire explained.
The total number notified was not disclosed, but 8 New Hampshire residents were notified of the incident. Everyone being notified was offered complimentary credit monitoring and a zero-deductible, $1,000,000 identity theft insurance policy through IDX.
No ransomware group or affiliate has publicly claimed responsibility for the attack, and no information has been disclosed about how the threat actors were able to gain access.