Baker University Data Breach Exposes Sensitive PII & PHI

Baker University, a private liberal arts institution in Baldwin City, Kansas, recently experienced a significant data breach that may affect the security of sensitive information belonging to students, staff and other individuals affiliated with the university. The incident was first discovered in December 2024, when university officials noticed suspicious activity on certain systems, which ultimately resulted in a network outage. Immediate steps were taken to secure the environment and an investigation was launched to determine the scope and impact of the breach.

The investigation revealed that between Dec. 2, 2024, and Dec. 19, 2024, unauthorized individuals accessed and/or acquired files and folders within the university’s network. Through an extensive review, Baker University determined that a wide range of sensitive information was potentially compromised.

The types of information exposed varied by individual and included names, dates of birth, driver’s license numbers, financial account information, health insurance information, medical information, passport information, Social Security numbers, student identification numbers and tax identification numbers. This means both personally identifiable information (PII) and protected health information (PHI) were involved in the breach.

While the total number of affected individuals has not been publicly disclosed, regulatory filings indicate that at least 66 Massachusetts residents were impacted. The breach was reported to the Attorney Generals' offices in Massachusetts and California on Dec. 19, 2025. Baker University has also posted a public notice on their website to inform all potentially affected parties.

Baker University's response

In direct response to the breach, Baker University immediately secured their network and began a thorough investigation with the assistance of cybersecurity professionals. The university reviewed and updated existing security policies and implemented additional technical measures to prevent similar incidents in the future. The incident was promptly reported to law enforcement and regulatory authorities as required by law.

To support those affected, Baker University is offering complimentary credit monitoring and identity restoration services through IDX for up to 24 months. Impacted individuals have been provided with instructions on how to enroll in these services, which include credit monitoring, identity theft protection and restoration assistance. The enrollment deadline is March 19, 2026.

If you believe your personal information may have been compromised in this breach:

• Carefully review any notice or communication you receive from Baker University or a company that does business with Baker University.
• Monitor financial accounts and credit reports for signs of identity theft.
• Consider placing fraud alerts or credit freezes with the major credit bureaus.
• Be cautious of unsolicited emails or phone calls requesting personal information.

Impacted individuals may contact Baker University about this data breach at 1-844-948-2042, Monday through Friday, 9 a.m. to 9 p.m. ET.