Valley Mountain Regional Center Data Breach Affects 54K People

Valley Mountain Regional Center, experienced a significant data breach that affected 54,286 individuals in the United States. The breach was first detected on Aug. 1, 2023, when the organization noticed unusual activity on its network. Subsequent investigation revealed that unauthorized actors had accessed and acquired sensitive data on or about July 29, 2023.

A thorough review, completed on Feb. 20, 2024, confirmed the scope of the breach. The exposed information included personally identifiable information (PII) such as names, Social Security numbers and driver’s license numbers, as well as protected health information (PHI) like medical and health insurance details. The breach also affected a subset of residents in specific states, including 351 individuals in Texas and 26 in Massachusetts.

The breach was officially disclosed to several authorities: the Oregon Attorney General's office on April 19, 2024, the California Attorney General's office, the Texas Attorney General's office, the Massachusetts Attorney General's office and the U.S. Department of Health and Human Services on July 25, 2025.

The information exposed in this incident included: names, Social Security numbers, driver’s license numbers, medical information and health insurance information. This combination of PII and PHI represents a serious risk, as both identity theft and medical fraud are possible consequences.

Valley Mountain Regional Center's response

To help those affected, Valley Mountain Regional Center partnered with Cyberscout, a TransUnion company, to provide complimentary credit monitoring, credit reports and credit score services for 12 months. Affected individuals received notification by U.S. mail on April 19, 2024, with instructions for enrolling in these services. The notification included a unique enrollment code and a link to activate services. Individuals are encouraged to enroll in these services within 90 days of receiving the notice.

The organization has also implemented additional security measures to reduce the risk of similar incidents in the future. Those affected are advised to remain vigilant by monitoring account statements, reviewing free annual credit reports, and considering placing fraud alerts or security freezes on their credit files. The notification letter offers detailed guidance on steps individuals can take, including contacting the IRS for an Identity Protection PIN and reaching out to authorities if they suspect identity theft.