Harbor Data Breach Exposes Patients' Social Security Numbers

On Aug. 1, 2025, Harbor, a mental health care provider in northwest Ohio, discovered suspicious activity on its computer network. The company launched an investigation and determined that an unauthorized actor had accessed and exfiltrated certain files from its network between July 25 and Aug. 1, 2025.

A comprehensive review revealed that the compromised files contained both personally identifiable information (PII) and protected health information (PHI) including names, addresses, dates of birth, Social Security numbers, driver’s license numbers or other state identification numbers, financial account information, health insurance information, medical diagnosis and treatment information, and clinical information.

Harbor notified the Maine Attorney General of the incident on Oct. 24, 2025, and reported the breach to the U.S. Department of Health and Human Services on June 20, 2025. According to the Maine Attorney General’s data breach disclosure, five Maine residents received written notification.

Harbor has also posted a public notice of the data breach on its website on Sept. 30, 2025.

Harbor's response

Harbor began notifying affected individuals on Sept. 30, 2025, via a website posting, and on or about Oct. 24, 2025, sent written notices to those with available mailing addresses. The company is offering complimentary credit monitoring and identity protection services through Epiq to individuals whose personal information may have been compromised. These services include one-bureau credit monitoring with alerts, dark web monitoring, credit protection with security freeze assistance, change of address monitoring, and identity restoration support.

In addition, Harbor has provided detailed instructions for affected individuals on how to monitor their credit, place fraud alerts or credit freezes, and report suspected identity theft to the appropriate authorities. The company has also notified state and federal regulators, including the Maine Attorney General’s office, the U.S. Department of Health and Human Services, and the three major credit reporting agencies.

Given the sensitive nature of the information exposed—including Social Security numbers and medical records—individuals are strongly encouraged to remain vigilant for signs of identity theft and fraud. Reviewing account statements, monitoring credit reports, and taking advantage of the free credit monitoring services are important steps to help protect against potential misuse of personal information.