Brien Center Data Breach Exposes Protected Health Information

On May 21, 2025, The Brien Center for Mental Health and Substance Abuse Services discovered suspicious activity within its network, indicating that an unauthorized third party had gained access to certain internal systems. According to the official notice filed with the Vermont Attorney General’s office, the breach occurred between May 19 and May 21, 2025. The ongoing investigation, supported by third-party cybersecurity specialists, has so far determined that the intruder accessed and potentially acquired sensitive data from these systems.

The disclosure to the Dept. of Health & Human Services reports 5,427 individuals have been affected. The types of information exposed include both personally identifiable information (PII) and protected health information (PHI): names, dates of birth, addresses, phone numbers, email addresses, client IDs, dates and times of recent visits, and clinical diagnostic information. This combination of PII and PHI heightens the risk for those affected, as it not only exposes basic identity details but also sensitive health-related data.

The Brien Center has posted its own public disclosure and notice to consumers on its website.

The Brien Center's response

After detecting the breach, The Brien Center acted to secure its systems and launched a comprehensive investigation with the help of external cybersecurity experts. The organization has notified all potentially affected individuals and regulatory authorities as required.

To support those impacted, The Brien Center is offering complimentary credit monitoring and identity restoration services through Epiq Privacy Solutions ID, which includes one-bureau credit monitoring, credit report and score access, $1 million in identity theft insurance, ID restoration services, and dark web monitoring. Affected individuals are encouraged to enroll in these services and remain vigilant by reviewing account statements and monitoring their free annual credit reports for any suspicious activity.

Given the nature of the breach—which involved unauthorized access to both personal and clinical information—it is especially important for those affected to take proactive steps. These may include placing a fraud alert or credit freeze with the major credit bureaus, monitoring for signs of identity theft, and taking advantage of the credit monitoring resources provided. Detailed instructions and contact information for the credit bureaus are included in the official notice.