Kansas City behavioral health center announces September 2025 data breach.
What happened
According to Claim Depot, on November 5, 2025, Wyandot Center published a breach notice on their website. The notice explains that the center noticed “unusual activity on its systems” which led to discovering unauthorized access.
Going deeper
When Wyandot Center discovered the unusual activity on its network systems, they engaged with third-party specialists to determine the scope of the breach. The investigation revealed unauthorized access to certain parts of its network between September 21, 2025, and September 22, 2025. The incident “may have resulted in unauthorized access or acquisition of information,” the breach notes. “The information potentially at risk may contain individuals’ first and last name together with one or more of the following: address, date of birth, Social Security number, patient ID, medical record number, health insurance information, service date, diagnosis/condition information, provider name, prescription information, and/or medical history information.”
The bigger picture
Recently, Oglethorpe, Inc., another behavioral health provider announced a network security breach affecting 92,332 individuals. In this breach, the attacker gained unauthorized access to its network between May 15 and June 6, 2025, and extracted files containing patient information.
The company handled the breach similar to how Wyandot did: once unusual activity was detected, Oglethorpe consulted third-party forensic specialists to assist us with securing
the network environment and investigating the extent of the unauthorized access.
While both breaches do not mention the misuse of the accessed information, the effects may be seen long after the breach. Patients and affected individuals may be exposed to the risk of identity theft and/or fraud, as a result of these breaches.
Go deeper: 92,332 Individuals affected in Oglethorpe data breach
Why it matters
From July to September 2025, the HHS Office for Civil Rights (OCR) received reports of 90 network server attacks. The majority of these incidents were related to hacking or IT intrusions aimed at centralized systems that house extensive patient data records.
The increase signifies a larger trend: the reliance on connected systems in healthcare has positioned network servers as prime targets for cybercriminals.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is Wyandot doing about the breach?
Wyandot has implemented additional security measures to reduce the risk of a similar incident in the future. Furthermore, they are providing affected individuals with access to credit monitoring and identity protection services at no cost.
How can healthcare providers prevent similar breaches?
Providers should enforce multi-factor authentication (MFA), apply security patches regularly, encrypt stored data, and continuously monitor servers for suspicious activity.
Could there be legal or regulatory implications for Wyandot?
Yes. When a healthcare provider suffers a data breach involving PHI and PII, they may be subject to legal obligations, regulatory scrutiny, and potentially class-action lawsuits.
How long do healthcare organizations have to report a breach?
HIPAA requires that breaches affecting 500 or more individuals be reported to HHS OCR and the media within 60 days of discovery.
Tshedimoso Makhene
