Over 92,000 people's personal and medical information, including sensitive identifiers like Social Security numbers and driver's license numbers, was compromised in a significant breach at behavioral health services provider Oglethorpe, Inc.
According to The Claim Depot, the Florida-based firm, which supports mental health and addiction recovery treatment centers across several states, confirmed that a cyber intruder gained access to its network between May 15 and June 6, 2025, and exfiltrated files containing patient information.
In total, 92,332 individuals were notified about exposure of personally identifiable information (PII) and protected health information (PHI), including names, dates of birth, Social Security numbers, driver’s license numbers, and medical information.
The company engaged third-party forensics, wiped and rebuilt affected systems, restored data from backups, and began notifications in late October/early November 2025.
According to the timeline released, access was obtained by the threat actor on May 15 and remained active until June 6. The formal determination that patient files were exfiltrated occurred on September 16, and Oglethorpe completed its review on October 23.
While the firm reports no confirmed misuse of the information so far, the combination of PII and PHI raises risks of identity theft, financial fraud, and medical fraud.
Claim Depot
Oglethorpe is offering affected individuals 12 months of single-bureau credit monitoring and credit score services as a precaution.
According to the breach notice, Oglethorpe states that, “On or about June 6, 2025, we detected a network security incident, in which an unauthorized third-party accessed our network environment. We quickly engaged third-party forensic specialists to assist us with securing
the network environment and investigating the extent of any unauthorized activity. Our investigation which concluded on September 16, 2025, determined an unauthorized third party acquired certain individual personal information during this incident. Oglethorpe then undertook an in-depth review process of the impacted information to determine the impacted individuals and their address information. This process was recently completed on October 23, 2025.
We found no evidence that your information has been specifically misused; however, it is possible that the following personal information could have been accessed by an unauthorized third party: first and last name, date of birth, driver's license number, Social Security number, and medical information.”
Between July and September 2025, 90 network server attacks have been reported to the HHS OCR. Between July and September 2025, 90 network server attacks were reported to the HHS Office for Civil Rights (OCR), marking a sharp rise in large-scale healthcare data breaches. Most of these incidents involved hacking or IT intrusions targeting centralized systems that store vast amounts of patient data.
The surge reflects a broader trend: healthcare’s dependence on connected systems has made network servers a top target for cybercriminals. With each breach potentially affecting tens of thousands of individuals, OCR urges covered entities and business associates to strengthen server security, apply multi-factor authentication, and maintain robust monitoring and backup systems to limit the damage of future attacks.
The Oglethorpe breach reflects a troubling rise in hacking and IT incidents across healthcare. These breaches go beyond data loss; they disrupt care, damage trust, and expose patients to identity theft and fraud. For behavioral-health providers, the impact is even deeper, as compromised files may reveal sensitive mental-health or addiction information.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Healthcare data contains valuable personal, financial, and medical details. Attackers exploit unpatched systems, weak credentials, and connected networks to access large volumes of sensitive data.
Go deeper: Why healthcare is a major target for cyberattacks
Providers should enforce multi-factor authentication (MFA), apply security patches regularly, encrypt stored data, and continuously monitor servers for suspicious activity.
HIPAA violations can result in fines ranging from $141 to $71,162 per violation, depending on the level of negligence, with a maximum annual penalty of $2,134,831 for repeat offenses.
Read also: The proposed removal of limits on HIPAA fines