Kitsap Mental Health Services Data Breach Exposes Social Security Numbers

On October 17, 2024, Kitsap Mental Health Services (KMHS) discovered suspicious activity during routine monitoring of its business network. An investigation revealed that an unauthorized actor had accessed certain KMHS systems.

The investigation determined that the unauthorized access occurred on September 17, 2024, and again between October 8, 2024 and October 19, 2024. During these incidents, the attacker downloaded data containing sensitive information.

The breach exposed both personally identifiable information (PII) and protected health information (PHI) including: names, dates of birth, Social Security numbers, driver’s license or state identification numbers, passport numbers, username and password information, medical record numbers, Medicaid numbers, Medicare numbers, patient account numbers, health insurance account member numbers, medical diagnosis information, medical treatment/procedure information, clinical information, prescription information, provider locations, and provider names.

The breach was reported to the U.S. Department of Health and Human Services on December 16, 2024, and has since been disclosed to the Massachusetts Attorney General’s office on May 14, 2025, as well as to the Vermont Attorney General’s office on May 16, 2025.

According to the Massachusetts Attorney General, 10 individuals in Massachusetts were affected, but the breach likely impacted a larger number of people across other states. The official incident notice is also available on the KMHS website, and the breach is listed in the U.S. Department of Health and Human Services’ breach portal.

Kitsap Mental Health Services's response

After detecting the suspicious activity, KMHS acted to contain and remediate the situation. The organization changed passwords, deployed enhanced monitoring tools, reported the incident to law enforcement, and engaged data security and privacy experts to assist with the investigation. Additional technical safeguards, such as endpoint detection and response monitoring, have been implemented to strengthen system security going forward.

KMHS has worked diligently to analyze the affected information, confirm the identities of potentially impacted individuals, and notify them. The organization has also reported the incident to relevant government agencies. Out of an abundance of caution, KMHS encourages everyone who may be affected to remain vigilant against identity theft and fraud. This includes reviewing account statements, monitoring explanation of benefits forms, and checking free credit reports for any suspicious activity or errors.

Individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. KMHS has provided detailed instructions for obtaining credit reports, placing fraud alerts, and requesting security freezes. If you have questions or need assistance, you can contact KMHS toll-free at 855-549-2618, Monday through Friday from 6:00 a.m. to 6:00 p.m. Pacific Time (excluding U.S. holidays), or by email at compliance@kmhs.org.

You can learn more about their mission and values on the Kitsap Mental Health Services website.