2 min read

Cincinnati nonprofit Beech Acres exposes medical records of 19,315 individuals

Cincinnati nonprofit Beech Acres exposes medical records of 19,315 individuals

Beech Acres Parenting Center, a 175-year-old Cincinnati nonprofit providing mental health services and foster care support, has disclosed a data breach affecting 19,315 individuals whose protected health information (PHI) and Social Security numbers were potentially accessed by unauthorized parties. The organization, which partners with healthcare providers across Greater Cincinnati and relies on Medicaid funding for its mental health services, discovered the breach on November 23, 2024, but only completed its investigation and began notifying victims nine months later in August 2025.

 

What happened

On November 23, 2024, Beech Acres detected unusual activity in its digital environment and immediately secured its network while launching an investigation with independent cybersecurity experts. The forensic investigation determined that certain data stored on Beech Acres' systems may have been accessed or acquired without authorization by an unknown threat actor.

The review to identify affected individuals and their contact information took nearly nine months, concluding on August 13, 2025. Beech Acres began mailing notification letters to 19,315 affected individuals on August 22, 2025, and reported the incident to attorneys general in Maine, Massachusetts, and Montana. The organization also notified the Federal Bureau of Investigation and established a dedicated call center through TransUnion.

 

The intrigue

What makes this breach concerning is the depth and sensitivity of the exposed information, combined with the organization's vulnerable client base. Beech Acres serves families in crisis, including those in foster care systems, receiving mental health treatment, and participating in parenting support programs, populations that may already face economic challenges and be less equipped to handle identity theft.

The nine-month gap between discovery and notification raises questions about the complexity of the breach and the organization's response capabilities. During this extended period, affected individuals remained unaware that their most sensitive information, including medical records and Social Security numbers, had potentially been in unauthorized hands since late 2024.

 

Why it matters

Beech Acres' role in providing mental health services, foster care support, and parenting assistance means the exposed data likely includes highly sensitive psychiatric records, family court documents, and information about vulnerable children.

For healthcare organizations partnering with nonprofits like Beech Acres, this incident points to third-party risk management concerns. The organization's Parent Connect program places coaching specialists in pediatric practices, creating potential HIPAA compliance issues for medical providers who share patient information with the nonprofit.

 

What they're saying

Laura Mitchell, CEO of Beech Acres Parenting Center, stated in the notification letter, "Please accept our sincere apologies and know that we deeply regret any worry or inconvenience that this may cause you."

Maria Efaplomatidis, representing Beech Acres through Constangy, Brooks, Smith & Prophete, LLP, told the Maine Attorney General, "Beech Acres takes the protection of all information within its possession very seriously and has taken measures to reduce the likelihood of a similar incident from reoccurring."

 

FAQs

Who is eligible for free credit monitoring?

All individuals whose Social Security numbers were involved in the breach are being offered 12 months of complimentary single-bureau credit monitoring through TransUnion, including credit reports, credit scores, and fraud assistance services.

 

What should affected individuals do?

Enroll in the free credit monitoring within 90 days using the unique code in your notification letter, place fraud alerts with credit bureaus, monitor all financial accounts for suspicious activity, be alert for phishing attempts using your exposed information, and consider freezing your credit if you notice any unauthorized activity.

 

Does this breach affect current clients only?

The breach notification does not specify whether only current clients were affected. Given the organization's 175-year history and the nature of services provided, the breach may include historical client records. Contact Beech Acres' call center at 833-397-8859 for specific information about your data.