Active breach tracker TX Disclosed January 8, 2025

BayMark Health Services Data Breach: RansomHub Attack Exposes 3,170 Addiction Treatment Patients (42 CFR Part 2)

BayMark Health Services, North America's largest medication-assisted treatment provider, was hit by a RansomHub ransomware attack between Sept 24 and Oct 14, 2024. The intruder exfiltrated about 1.5 TB of data, including names, Social Security numbers, driver's license numbers, and addiction treatment records protected by 42 CFR Part 2. OCR filing posted Jan 8, 2025 covering 3,170 individuals; a follow-on filing reported 16,548.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 24, 2024

Unauthorized access to BayMark's network begins

Oct 11, 2024

BayMark detects IT system disruption and identifies the intrusion

Oct 14, 2024

Unauthorized access window ends; RansomHub later claims responsibility and posts stolen data

Nov 5, 2024

Forensic analysis of affected files completed

Jan 8, 2025

Patient notification letters mailed; HHS OCR breach report filed for 3,170 individuals

Jan 8, 2025

BayMark publishes substitute notice on baymark.com

Jul 8, 2025

McCormick v. BayMark Health Services, Inc. filed in the U.S. District Court for the Eastern District of California (No. 1:25-cv-00811)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

02

Health records

Don't expire and can't be reissued

Diagnostic and treatment information (including substance use disorder treatment data protected by 42 CFR Part 2)

03

Contact & insurance

Phishing + targeted scams

Patient name Health insurance information Services received and dates of service Treating provider name

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Edelson Lechtzin LLP Federman & Sherwood Strauss Borrelli PLLC Levi & Korsinsky, LLP The Lyon Firm
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

BayMark Health Services, Inc., headquartered in Lewisville, Texas, is North America’s largest provider of medication-assisted treatment (MAT) for opioid and other substance use disorders, operating more than 400 treatment sites across 35 U.S. states and three Canadian provinces and serving roughly 75,000 patients each day. Between September 24 and October 14, 2024, an unauthorized third party had access to BayMark’s network for approximately three weeks. The attack was claimed by the RansomHub ransomware-as-a-service group, which stated it exfiltrated about 1.5 TB of data and posted the files to its dark web leak site after BayMark declined to pay a ransom. BayMark filed its initial HHS Office for Civil Rights breach report on January 8, 2025, reporting 3,170 affected individuals. Multiple secondary reports indicate a follow-on disclosure raising the total to approximately 16,548 individuals; this page tracks the OCR-reported figure as the authoritative regulatory record.

Timeline

  • September 24, 2024 — Unauthorized access to BayMark’s network begins.
  • October 11, 2024 — BayMark detects an IT system disruption and identifies the intrusion.
  • October 14, 2024 — Unauthorized access ends. RansomHub later claims responsibility and begins listing BayMark on its leak site.
  • November 5, 2024 — Forensic analysis of the affected files is completed.
  • January 8, 2025 — BayMark begins mailing patient notification letters and files its breach report with the HHS Office for Civil Rights for 3,170 individuals. A substitute notice is published at baymark.com.
  • July 8, 2025McCormick v. BayMark Health Services, Inc., No. 1:25-cv-00811, is filed in the U.S. District Court for the Eastern District of California, seeking class certification on behalf of affected patients.

What was exposed

BayMark’s own notice and the corroborating press reporting describe the exposed records as containing, in varying combinations per individual:

  • Patient name
  • Date of birth
  • Social Security number
  • Driver’s license number or other state-issued ID number
  • Health insurance information
  • Services received and dates of service
  • Name of treating provider
  • Diagnostic and treatment information

Because the exfiltrated files include diagnostic and treatment information from a federally certified opioid treatment and substance use disorder program, the affected records fall within the scope of HIPAA and the separate confidentiality regime at 42 CFR Part 2.

Why this breach is especially sensitive: 42 CFR Part 2

42 CFR Part 2 is the federal confidentiality rule that protects records of patients who receive treatment from federally assisted substance use disorder (SUD) programs, which includes opioid treatment programs and the MAT clinics BayMark operates. Part 2 records receive a stricter standard than ordinary HIPAA-protected health information:

  • The mere fact that a person is identified as a patient of a Part 2 program is itself protected. Re-disclosure without specific written consent is prohibited.
  • Part 2 records may not be used in criminal proceedings against the patient without a court order meeting heightened criteria.
  • Employers, insurers, family members, and law enforcement generally cannot access Part 2 records without the patient’s explicit, written, program-specific consent.

A leaked Part 2 record can therefore carry real-world consequences a generic medical record does not: loss of employment, denial of housing, custody disputes, immigration consequences, professional licensing risk, and stigma. Anyone whose BayMark record was exfiltrated should treat the disclosure as carrying both financial-identity and behavioral-health-disclosure risk.

What BayMark is offering

For individuals whose Social Security number or driver’s license number was involved, BayMark is offering 12 months of complimentary identity monitoring through Equifax. BayMark has also established a dedicated toll-free call center at 855-295-0995 (Monday–Friday, 8 a.m.–8 p.m. Central Time, excluding holidays) for questions about the incident.

Class-action litigation

At least one putative class action has been filed in federal court: McCormick v. BayMark Health Services, Inc., No. 1:25-cv-00811 in the U.S. District Court for the Eastern District of California. Multiple plaintiffs’ firms publicly announced investigations in the days after the January 2025 notification, including Edelson Lechtzin LLP, Federman & Sherwood, Strauss Borrelli PLLC, Levi & Korsinsky LLP, and The Lyon Firm.

What to do if you may be affected

  1. Freeze your credit at all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). It is free, reversible, and the single highest-leverage step against new-account identity theft. Driver’s license freezes through your state DMV are also worth doing if your license number was involved.
  2. Enroll in the Equifax identity monitoring BayMark is offering if you receive an enrollment code. It does not replace a credit freeze; use both.
  3. Watch for tax-refund fraud and benefits fraud. Social Security numbers from medical breaches are frequently used to file fraudulent tax returns and unemployment claims. File your federal return early and consider requesting an IRS Identity Protection PIN.
  4. Understand the 42 CFR Part 2 angle. If you are concerned that the disclosure of your status as a BayMark patient could affect employment, custody, immigration, or housing, consider consulting a healthcare-privacy attorney before responding to any third party that contacts you claiming knowledge of your treatment.
  5. Keep the notification letter. It documents your standing to participate in the pending class action and any future regulatory remedies.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.