BayMark Health Services discloses data breach exposing PII

On March 20, 2025, BayMark Health Services, Inc.—a major provider of medication-assisted treatment for substance use disorders—discovered a significant data breach that had occurred on two separate dates: September 24, 2024 and October 14, 2024. According to official disclosures, the breach affected a total of 16,548 individuals across the United States. Of these, 11,623 were residents of Texas, 481 were in Maine, and 2 were in Massachusetts.

The breach was the result of a ransomware attack claimed by the RansomHub group, who announced on the dark web that they had obtained 1.5 TB of BayMark’s data and threatened to publish it within 36-37 days. The stolen data included both personally identifiable information (PII) and protected health information (PHI). Specifically, the exposed information consisted of names, Social Security numbers, driver’s license numbers, medical information, health insurance information, and medical records.

The breach was reported to multiple authorities, including the California Attorney General, Maine Attorney General, Massachusetts Attorney General, Texas Attorney General, Vermont Attorney General, and the U.S. Department of Health and Human Services. The company notified affected consumers by U.S. mail on May 2, 2025.

The severity of this breach is considerable, given the sensitivity of the information involved and the nature of the attack. The exposure of both PII and PHI—such as Social Security numbers, health insurance details, and medical records—puts affected individuals at risk for identity theft, insurance fraud, and other forms of misuse.

BayMark Health Services, Inc.'s response

After discovering the breach, BayMark Health Services took steps to notify affected individuals by written letter via U.S. mail. The company also reported the incident to state and federal authorities, as required by law. While the specific details of the company’s response plan have not been disclosed, individuals whose information was involved should remain vigilant.

Given the nature of the attack—ransomware with a threat to publish sensitive data—affected individuals should:

• Monitor their credit reports and financial accounts for any unusual activity.
• Consider placing a fraud alert or credit freeze with the major credit bureaus.
• Watch for suspicious emails or phone calls that could be phishing attempts related to the breach.
• Review any correspondence from BayMark Health Services for information about resources such as credit monitoring or identity theft protection (if offered).

If you believe you may have been affected and have not received a notification, you can review the official notices provided by the California Attorney General, Maine Attorney General, Massachusetts Attorney General, Texas Attorney General, Vermont Attorney General, or the U.S. Department of Health and Human Services for more details.

About BayMark Health Services, Inc.

BayMark Health Services, Inc. is North America’s largest provider of medication-assisted treatment (MAT) for substance use disorders. The organization offers a range of services, including opioid treatment programs, office-based opioid treatment practices, outpatient and inpatient detox services, residential treatment centers, and behavioral health services. BayMark’s mission is to support individuals on their path to recovery from substance use and mental health disorders. To learn more about the company, visit the BayMark Health Services website.