ARC Community Services Data Breach 2025: INC Ransom Attack on Wisconsin Women's Behavioral Health & SUD Provider
ARC Community Services, a Madison, WI nonprofit providing substance use disorder treatment and behavioral health services to women and children, reported a November 2024 ransomware attack by the INC Ransom group to HHS OCR on February 2, 2025. The substitute notice and individual letters confirm names, contact details, dates of birth, medical record numbers, health information, driver's license numbers, and financial account information were exfiltrated.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 4, 2024
ARC Community Services identifies unauthorized network activity and takes systems offline
Nov 4, 2024
Initial unauthorized access window confirmed by third-party digital forensics
Feb 2, 2025
HIPAA breach report filed with HHS OCR (placeholder count of 501 while file review continued)
Aug 28, 2025
File review confirms PHI was included in the exfiltrated data set
Nov 6, 2025
Detailed file review completed; affected-individual identification finalized
Nov 12, 2025
Updated substitute breach notice published on the ARC Community Services website
Dec 4, 2025
Notification filed with New Hampshire Attorney General (and other state AGs)
Dec 22, 2025
Public substitute notice issued via Newswire; individual notification letters mailed
Nov 4, 2024
ARC Community Services identifies unauthorized network activity and takes systems offline
Nov 4, 2024
Initial unauthorized access window confirmed by third-party digital forensics
Feb 2, 2025
HIPAA breach report filed with HHS OCR (placeholder count of 501 while file review continued)
Aug 28, 2025
File review confirms PHI was included in the exfiltrated data set
Nov 6, 2025
Detailed file review completed; affected-individual identification finalized
Nov 12, 2025
Updated substitute breach notice published on the ARC Community Services website
Dec 4, 2025
Notification filed with New Hampshire Attorney General (and other state AGs)
Dec 22, 2025
Public substitute notice issued via Newswire; individual notification letters mailed
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
ARC Community Services, Inc., a Madison, Wisconsin nonprofit that provides residential and outpatient substance use disorder treatment, behavioral health counseling, and parenting and case-management services for women and their children, identified unauthorized network activity on November 4, 2024. A forensic investigation later confirmed the intrusion was a ransomware and data-exfiltration attack by the INC Ransom group, which posted the organization on its dark-web leak site after the ransom was not paid. ARC filed an initial HIPAA breach report with the U.S. Department of Health and Human Services Office for Civil Rights on February 2, 2025, using a placeholder count of 501 individuals while file review continued. A detailed review completed in November 2025 confirmed that protected health information was exfiltrated, and substitute notice and individual notification letters followed in late 2025.
Timeline of what we know
- November 4, 2024 — ARC Community Services identifies unauthorized activity on its network. The organization takes affected systems offline and engages third-party digital forensics. Investigators ultimately attribute the intrusion to the INC Ransom ransomware group.
- February 2, 2025 — ARC submits its HIPAA breach report to HHS OCR using a placeholder count of at least 501 affected individuals while the file review is still in progress.
- August 28, 2025 — File review confirms that protected health information was among the data exfiltrated during the intrusion.
- November 6, 2025 — Detailed file review is completed; ARC finalizes the list of affected individuals and the specific data elements involved per person.
- November 12, 2025 — ARC publishes an updated substitute notice of data breach on its website naming the data elements involved.
- December 4, 2025 — Notification is filed with the New Hampshire Attorney General; additional state AG filings follow as required.
- December 22, 2025 (early December onward) — ARC issues a public substitute notice through Newswire and mails individual notification letters to affected individuals whose addresses could be confirmed.
What was exposed
Per the November 12, 2025 substitute notice and the December 2025 individual notification letters, the data set exfiltrated by INC Ransom may include any combination of the following, depending on the individual:
- Full name and contact information (mailing address)
- Date of birth
- Medical record number
- Health information (clinical / treatment data)
- Driver’s license number
- Financial account information
ARC has noted that not every data element was present for every affected individual. The HHS OCR portal currently lists 501 as a placeholder figure; the final count is expected to be updated as state AG filings and the OCR submission are reconciled.
Why this population is especially sensitive
ARC Community Services serves a population that already faces stigma and elevated downstream risk from disclosure:
- Women in substance use disorder treatment, including pregnant and postpartum women, women with infants, and women in residential SUD treatment. Federal 42 CFR Part 2 confidentiality protections apply to SUD treatment records, and re-disclosure of these records is independently regulated alongside HIPAA.
- Children and families receiving case management, parenting support, and behavioral health services through ARC’s programs.
- Justice-system-involved women, including residential clients connected to women’s offender programs.
Exfiltration of treatment records for this population is more harmful than a typical PHI exposure: it can affect custody disputes, criminal-justice supervision, housing, and employment. Anyone who received services from ARC should treat this as a higher-than-average severity breach for those reasons alone, regardless of whether financial identifiers are present in their individual file.
What ARC is offering
Affected individuals are being directed to a professional assistance line operated by Cyberscout, a TransUnion company, at 1-833-426-3205 (Monday–Friday, 8:00 AM–8:00 PM ET). ARC’s substitute notice and individual letters describe complimentary credit monitoring, identity theft protection, and fraud-assistance services for those whose data was involved. Enrollment instructions and any deadlines are contained in the individual notification letter; the substitute notice on ARC’s website is the path for people who did not receive a mailed letter because ARC could not confirm a current address.
Class-action and regulatory posture
The HHS OCR investigation remains open on the breach portal. State attorney general notifications have been filed with New Hampshire and other states. As of this writing, several plaintiffs’ firms — including Srourian Law Firm — have publicly announced class-action investigations, and consumer-claim aggregators such as ClaimDepot are soliciting potential class members. We are not aware of a consolidated complaint or a filed class-action docket against ARC as of the date this page was last updated; this section will be revised when a complaint is filed or a settlement is reached. INC Ransom continues to list ARC Community Services on its public leak site, indicating the ransom was not paid and stolen data may have been published or is being trafficked.
What to do if you may be affected
Sensitive identifiers and SUD/behavioral-health treatment records were exposed. Treat this as a high-severity exposure and layer your defenses:
- Freeze your credit at all three bureaus — Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new-account fraud cold. This is the single highest-leverage step when driver’s license and financial-account information are in play.
- Call the dedicated assistance line at 1-833-426-3205 to confirm whether your file was involved and to enroll in the credit-monitoring and identity-protection services ARC is offering.
- Watch for the individual notification letter at the address ARC has on file. The letter will list the specific data elements exposed for you and the enrollment code for the offered services. If you have moved since you were last in contact with ARC, the substitute notice on arccommserv.com applies to you.
- Be alert to medical identity theft. Request Explanation of Benefits statements from your health insurer and verify that all listed claims are services you actually received. Report unfamiliar charges to your insurer and to HHS OCR.
- If your driver’s license number was exposed, contact your state DMV to flag your record and ask about a replacement license number.
- Be skeptical of phone, text, and email outreach claiming to be from ARC or its assistance vendor. Threat actors routinely use leaked identifiers to run targeted phishing after a published breach. ARC will not ask you to provide a full Social Security number or banking credentials by phone to “verify” your record.
- If you received SUD treatment through ARC, be aware that those records carry 42 CFR Part 2 protections in addition to HIPAA. If those records appear to have been re-disclosed without your authorization, you may have additional remedies beyond HIPAA notification.
Sources
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- ARC Community Services — Substitute Notice of Data Breach (updated November 12, 2025) — the entity’s own notice listing data elements involved and assistance-line contact.
- Newswire — ARC Community Services Notice of Data Breach — the publicly distributed substitute notice.
- HIPAA Journal — ARC Community Services Announces November 2024 Ransomware Attack — trade-press summary including INC Ransom attribution and timeline.
- Defensorum — Cyberattack on ARC Community Services by INC Ransom Ransomware Group — corroborating attribution and timeline.
- ClaimDepot — ARC Community Services Data Breach 2025 — class-action investigation status and state AG filings.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- ARC Community Services — Substitute Notice of Data Breach (updated November 12, 2025)
- Newswire — ARC Community Services Notice of Data Breach
- HIPAA Journal — ARC Community Services Announces November 2024 Ransomware Attack
- Defensorum — Cyberattack on ARC Community Services by INC Ransom Ransomware Group
- ClaimDepot — ARC Community Services Data Breach 2025 (class-action investigation)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.