Active breach tracker Anchorage, Alaska Disclosed November 19, 2025

Anchorage Neighborhood Health Center Data Breach 2025: 70,555 Patients · FQHC Hacking/IT Incident · Class Action Filed

Anchorage Neighborhood Health Center (ANHC), the federally qualified health center serving Anchorage, Alaska, filed a HIPAA breach notification with HHS OCR on November 19, 2025 reporting 70,555 affected individuals from a Hacking/IT Incident on a network server. Unauthorized network access occurred August 24-25, 2025. Exposed data includes Social Security numbers, dates of birth, state ID numbers, medical treatment information, and health insurance information. Up to 24 months of Experian credit monitoring offered. Class action Hunt v. ANHC pending in the District of Alaska.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Aug 22, 2025

ANHC phone lines go down; patients report inability to reach the clinic

Aug 24, 2025

Unauthorized actor accesses ANHC network (per entity notice)

Aug 25, 2025

Intrusion detected; ANHC takes affected systems offline and engages third-party forensic firm

Sep 5, 2025

Alaska's News Source reports an anonymous hacker group claims ~10,000 patient records leaked; ANHC confirms forensic investigation

Sep 15, 2025

Hackers escalate claim to ~60,000 records (~23 TB) on leak site

Sep 16, 2025

FBI Anchorage Field Office publicly confirms awareness of the incident

Nov 19, 2025

HHS OCR breach filing: 70,555 affected; Hacking/IT Incident, Network Server

Dec 16, 2025

Individual notification letters mailed; up to 24 months of Experian credit monitoring offered

Mar 1, 2026

Hunt et al v. Anchorage Neighborhood Health Center, No. 3:26-cv-00048, filed in U.S. District Court for the District of Alaska (Judge Sharon L. Gleason)

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers State-issued ID numbers (including driver's license numbers)

02

Health records

Don't expire and can't be reissued

Medical treatment information

03

Contact & insurance

Phishing + targeted scams

Names Dates of birth Health insurance information ~23 TB of data claimed exfiltrated by anonymous threat actor (leak-site claim)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood (publicly investigating) Levi & Korsinsky, LLP (publicly investigating) Counsel of record in Hunt et al v. Anchorage Neighborhood Health Center, No. 3:26-cv-00048 (D. Alaska)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Anchorage Neighborhood Health Center (ANHC), the federally qualified health center that has served Anchorage residents since 1974, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on November 19, 2025, reporting 70,555 affected individuals in a Hacking/IT Incident affecting a network server. Forensic investigation found unauthorized network access between August 24 and August 25, 2025, and the intrusion was detected on August 25, 2025 after ANHC’s phone lines and computer systems went down beginning August 22.

Timeline

  • August 22, 2025 — ANHC phone lines down; patients report inability to reach the clinic (per Alaska’s News Source).
  • August 24-25, 2025 — Unauthorized network access window, per ANHC’s notification and HIPAA Journal coverage.
  • August 25, 2025 — Intrusion detected; ANHC takes affected systems offline, engages third-party forensic experts, and contacts law enforcement.
  • September 3, 2025 — ANHC publicly acknowledges “limited computer access due to technical difficulties.”
  • September 5, 2025 — Alaska’s News Source reports an anonymous hacker group claims ~10,000 patient records leaked; ANHC confirms it is investigating.
  • September 15-16, 2025 — Hackers escalate their claim to roughly 60,000 records (asserting ~23 TB of data exfiltrated). The FBI Anchorage Field Office publicly confirms awareness.
  • November 19, 2025 — ANHC files HIPAA breach report with HHS OCR: 70,555 individuals, Hacking/IT Incident, Network Server. Parallel state attorney general filings (Maine, Oregon) follow.
  • December 2025 — Individual notification letters begin going out, per Comparitech.
  • 2026 — Putative class action Hunt et al v. Anchorage Neighborhood Health Center, Inc., No. 3:26-cv-00048, filed in the U.S. District Court for the District of Alaska before Judge Sharon L. Gleason. Federman & Sherwood and Levi & Korsinsky publicly announce parallel investigations.

What was exposed

According to ANHC’s notification and trade-press reporting on the notice, the data elements implicated for at least some individuals include:

  • Names
  • Social Security numbers
  • Dates of birth
  • State-issued ID numbers (including driver’s license numbers)
  • Medical treatment information
  • Health insurance information

The anonymous threat actor publicly claimed exfiltration of approximately 23 TB of data and escalated its public victim count from ~10,000 to ~60,000 before ANHC’s final OCR filing of 70,555. ANHC has stated it has “no evidence” the information has been used for identity theft or financial fraud, but that statement does not preclude future misuse, particularly given that Social Security numbers and dates of birth do not change.

Sensitive-population considerations (FQHC)

ANHC is a federally qualified health center. FQHCs are HRSA-supported safety-net clinics that, by statutory mandate, serve patients regardless of ability to pay. ANHC’s patient population of roughly 15,000 includes uninsured and Medicaid-enrolled Alaskans, people experiencing homelessness, and other groups for whom an FQHC is often the only realistic primary-care option. Two consequences follow from that mission:

  • The exposed data set is unusually sensitive in aggregate. A combined leak of SSN, date of birth, driver’s license number, and health-insurance enrollment status is the canonical identity-theft starter kit, and it is more damaging for people with thin credit files, unstable housing, or limited time and resources to contest fraudulent accounts.
  • Categories of treatment carry stigma and discrimination risk. ANHC provides behavioral health, substance-use treatment, and care for people experiencing homelessness. Disclosure of “medical treatment information” tied to an identified patient can affect housing, employment, custody, and immigration matters in ways a fraud-only framing understates. SUD treatment records may carry additional 42 CFR Part 2 protections; OCR began enforcing Part 2 under a unified rule in February 2026.

What ANHC is offering

ANHC is offering eligible individuals up to 24 months of complimentary credit monitoring and identity-protection services through Experian, per HIPAA Journal’s reporting on the notice. Comparitech’s summary references a 12-month tier, suggesting the offer is tiered by data-element exposure, with the 24-month term going to recipients whose Social Security numbers were involved. ANHC has also stated it has implemented additional cybersecurity controls and enhanced monitoring following the incident.

Class-action posture

A putative class action, Hunt et al v. Anchorage Neighborhood Health Center, Inc., No. 3:26-cv-00048, is pending in the U.S. District Court for the District of Alaska before Judge Sharon L. Gleason. Plaintiff-side investigations were publicly announced by Federman & Sherwood and Levi & Korsinsky in late 2025. The OCR investigation remains open as of this update.

What to do if you may be affected

  • Read the notification letter carefully. It lists the specific data elements involved for you and the activation code for the Experian credit-monitoring offer. The enrollment deadline matters; do not let it lapse.
  • Place a credit freeze with Equifax, Experian, and TransUnion. A freeze is free, separate from credit monitoring, and is the single most effective control against new-account identity theft. Because driver’s license numbers were involved, consider requesting a new license number from the Alaska DMV if your letter confirms yours was exposed.
  • File an IRS Identity Protection PIN request at IRS.gov. Tax-refund fraud is one of the most common downstream uses of stolen SSN + DOB combinations.
  • Watch for ANHC-themed phishing. Threat actors who post stolen data routinely follow up with phishing emails and SMS impersonating the breached entity’s “support team.” ANHC will not ask you for your SSN or password by email or text.
  • If you are an ANHC behavioral-health or substance-use treatment patient, the medical-treatment disclosure carries discrimination risks that go beyond financial fraud. Document any adverse housing, employment, or benefits decisions you suspect are linked to disclosure; SUD records may also carry 42 CFR Part 2 protections.
  • Preserve your legal options. If you receive an ANHC notice, retain it. The Hunt class action is active, and the named plaintiff-side firms are accepting intake.

Sources

We confirm these details directly against the HHS OCR portal record and the cited reporting; this page will be updated as the Hunt v. ANHC docket advances or as further notice details become public.

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.