ARC Community Services Data Breach Exposes Sensitive Information

ARC Community Services, a Madison, Wisconsin-based nonprofit that provides substance abuse treatment and support services for women and children, recently experienced a significant data breach. The breach resulted in the unauthorized acquisition of files containing both personally identifiable information (PII) and protected health information (PHI).

The breach was first discovered on Nov. 4, 2024, when ARC Community Services identified unauthorized activity on its network. The incident was later confirmed to be a ransomware attack carried out by the group known as INC Ransom, which claimed responsibility and posted sample screenshots of stolen data on its dark web portal.

The types of data exposed vary by individual, but may include Social Security numbers, contact information (such as first and last name and address), dates of birth, medical record numbers, health information, driver’s license numbers and financial account information. The attack was severe in nature, as it involved a ransomware group that not only encrypted but also exfiltrated sensitive files.

The company posted a Notice of Data Breach on its website, and disclosed the cybersecurity incident to the New Hampshire Attorney General's office on Dec. 4, 2025.

ARC Community Services' response

After discovering the breach, the company took immediate action by shutting down affected systems and engaging external cybersecurity experts to investigate the incident and assist in recovery efforts.

If you believe your personal information may have been compromised in this breach:

• Carefully review any notice or communication you receive from ARC Community Services or a company that does business with ARC Community Services.
• Monitor financial accounts and credit reports for signs of identity theft.
• Consider placing fraud alerts or credit freezes with the major credit bureaus.
• Be cautious of unsolicited emails or phone calls requesting personal information.