Thousands exposed via data breach of major American delivery company

OnTrac, a last-mile delivery company, has suffered a hacker attack. The attackers obtained personal details, including IDs, health information, and other sensitive data.

The company recently sent out a batch of data breach notification letters, informing individuals that their data may have been involved in a recent data breach. According to the company, attackers roamed a portion of its network between April 13th and 15th, 2025.

OnTrac operates 64 facilities in 31 States and controls four sorting centers throughout the US. The company’s yearly revenue is estimated to be around $1.5 billion. In 2021, LaserShip acquired the company.

Information that the company submitted to the Maine Attorney General’s Office reveals that the April data breach affected over 40,000 individuals. OnTrac’s investigation into the hacker attack revealed that malicious actors may have accessed:

• Dates of birth
• Social Security numbers (SSNs)
• Driver’s License or State IDs
• Medical information
• Health Insurance Information

Having IDs and SSNs exposed drastically increases privacy risks to exposed individuals. For one, attackers may use the information for identity theft. For example, attackers may try setting up fraudulent bank accounts, filing false tax returns, or even attempting to take over an individual’s benefits.

Having medical information and health insurance details further endangers those whose data has been exposed. Cybercrooks value health-related information because it can be exploited in numerous malicious ways. Most obviously, attackers could resort to blackmail, attempting to extort individuals who’d rather have their medical information remain private.

Another attack vector is medical identity theft. In these cases, malicious actors attempt to submit fraudulent insurance claims or acquire prescription drugs, which could later be sold on the dark web.

The worst part about having medical and ID details leaked is that it’s not something individuals can replace, like a stolen credit card.

“Because we took steps to ensure that the data at issue was re-secured and not distributed, we are not aware of any fraud or publication of stolen information resulting from this incident, nor do we have any reason to believe any such misuse of information will occur,” OnTrac’s breach notice said.

To help impacted individuals with possible cybersecurity risks, the company said it will provide them with complimentary credit monitoring and identity protection services, an industry standard in data breach cases.