Heartland Health Breach Exposes SSNs & Health Info of 43,728

On Feb. 4, 2025, Heartland Health Center discovered it was the victim of a ransomware attack carried out by the MEDUSA group. The types of information exposed are extensive and include both personally identifiable information (PII) and protected health information (PHI) of at least 43,728 current and former patients across the U.S.

The attackers claimed responsibility on their dark web portal, stating they had obtained sensitive data and threatening to publish it within 11 to 12 days. Sample screenshots of the stolen data were also posted online. Notably, this is not the first time Heartland Health Center has been targeted, as it previously suffered a LockBit ransomware attack on May 9, 2024.

The compromised data may include: name, Social Security number, date of birth, driver license number, financial information, medical information, and health insurance information.

The severity of this breach is heightened by the nature of the information accessed. The exposure of PII and PHI creates a risk of identity theft, financial fraud and medical identity theft. The MEDUSA ransomware group’s involvement and their public threats to leak data further elevate concerns for those affected.

For more information, see the public notice posted by Heartland Health Center. Beginning on Oct. 17, 2025, data breach was also disclosed to the U.S. Department of Health and Human Services, and the Attorney Generals' offices in Massachusetts and Montana.

Heartland Health Center's response

Upon discovering the unauthorized access, Heartland Health Center immediately engaged forensic consultants to investigate the incident, secure its systems and prevent further unauthorized access. The organization conducted a thorough review of the compromised files to determine the extent of sensitive information involved. By June 3, 2025, this review was completed, and affected individuals were identified.

Heartland Health Center has taken several steps to support those impacted:

• Individual notification letters were mailed to affected persons with valid addresses on Oct. 17, 2025
• A substitute notice has been posted for individuals who could not be reached directly
• Complimentary credit monitoring, cyber monitoring and identity theft protection services are available through TransUnion and Cyberscout for those impacted
• A dedicated call center is available at 833-426-5380, Monday through Friday, 8 a.m. to 8 p.m. Eastern Time

Given the nature of the breach, it is strongly recommended that affected individuals:

• Enroll in the complimentary credit and cyber monitoring services provided
• Regularly review statements from healthcare providers, insurance companies, banks and credit card issuers for unfamiliar activity
• Order a free annual credit report and check for unauthorized accounts or inquiries
• Place a fraud alert or security freeze on credit files if concerned about identity theft
• Immediately report any suspicious or fraudulent activity to relevant institutions and law enforcement