Richmond Behavioral Health Authority has disclosed a ransomware attack affecting 113,232 individuals after malicious actors gained access to the organization's network and encrypted portions of its systems in late September 2025. The Virginia-based mental health and substance use treatment provider confirmed that sensitive information including Social Security numbers, passport numbers, financial account details, and medical records may have been accessed, though the organization stated there is no definitive evidence data was exfiltrated or misused.
What happened
On or around September 29, 2025, malicious actors gained unauthorized access to Richmond Behavioral Health Authority's network and deployed ransomware, encrypting portions of the organization's systems. RBHA detected the intrusion the following day, September 30, 2025, and immediately terminated the attackers' network access.
Upon discovery, RBHA engaged its management team, IT staff, and third-party cybersecurity experts to investigate the incident, secure personal information, and protect the network from further compromise. The organization also reported the attack to the FBI's Cyber Division and the Virginia Fusion Center.
The potentially compromised information includes full names or first initials combined with last names, Social Security numbers, passport numbers, financial account information, and health-related information. RBHA reported the breach to the U.S. Department of Health and Human Services on November 28, 2025, and began mailing notification letters to affected individuals in early December.
"There is no definitive evidence to delineate the scope of personal or health information that may have been accessed at this time," RBHA stated in its public disclosure. "However, because an unknown actor gained access to our network, we are providing notice out of an abundance of caution."
The big picture
Richmond Behavioral Health Authority serves as the Community Services Board for the City of Richmond, providing mental health services, developmental disability support, substance use treatment and prevention, and medical services to the local community. As a public behavioral health organization, RBHA handles some of the most sensitive categories of protected health information (PHI), including mental health diagnoses, substance abuse treatment records, and crisis intervention documentation.
Behavioral health providers face unique data protection challenges because their records carry high risks for patients. Unlike general medical information, mental health and substance use records receive additional federal protections under 42 CFR Part 2, which governs the confidentiality of substance use disorder patient records. The exposure of such information can affect employment prospects, custody proceedings, insurance coverage, and personal relationships in ways that extend far beyond typical healthcare data breaches.
Why it matters
A review of PHI breaches found that Social Security numbers and financial data are the most frequently misused, leading to identity theft and fraud. Global breach studies emphasize that healthcare data exposure leads to secondary harms such as discrimination and reputational damage. Confidentiality research from the Journal of Human Services (JOHS) warns that substance use records, if exposed, can cause irreparable harm through custody disputes, employment loss, and stigmatization. As the APA notes, violations of these protections not only carry legal penalties but also undermine the therapeutic trust required for care.
What they're saying
RBHA Chief Executive Officer Cristi Zedd stated, "We apologize for any inconvenience that may have arisen as a result of this incident and appreciate your understanding as we have worked to resolve this issue."
The organization emphasized its commitment to preventing future incidents, "RBHA has implemented additional security measures designed to further protect the privacy of our clients, staff, and partners. Among other steps taken, we engaged a leading strategic service provider to monitor our cybersecurity systems, reviewed our system's architecture, and implemented stronger policies to prevent future attacks."
FAQs
What is ransomware?
Ransomware is malicious software that encrypts an organization's files and systems, rendering them inaccessible until the victim pays a ransom to obtain decryption keys. Modern ransomware operations often employ "double extortion" tactics, stealing data before encryption and threatening to publish it if ransom demands are not met.
What is a Community Services Board?
Community Services Boards (CSBs) are public agencies in Virginia that provide mental health, developmental disability, and substance use disorder services to local communities. As government entities handling sensitive health information, CSBs must comply with both HIPAA requirements and state privacy regulations.
What is network encryption?
When ransomware encrypts a network, it scrambles files and systems using complex algorithms, making them inaccessible without a decryption key.
.jpg)
.jpg)
%20-%202024-11-10T214637.893.jpg)