BayMark Health Services Data Breach: RansomHub Attack Exposes 3,170 Addiction Treatment Patients (42 CFR Part 2)
BayMark Health Services, North America's largest medication-assisted treatment provider, was hit by a RansomHub ransomware attack between Sept 24 and Oct 14, 2024. The intruder exfiltrated about 1.5 TB of data, including names, Social Security numbers, driver's license numbers, and addiction treatment records protected by 42 CFR Part 2. OCR filing posted Jan 8, 2025 covering 3,170 individuals; a follow-on filing reported 16,548.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Sep 24, 2024
Unauthorized access to BayMark's network begins
Oct 11, 2024
BayMark detects IT system disruption and identifies the intrusion
Oct 14, 2024
Unauthorized access window ends; RansomHub later claims responsibility and posts stolen data
Nov 5, 2024
Forensic analysis of affected files completed
Jan 8, 2025
Patient notification letters mailed; HHS OCR breach report filed for 3,170 individuals
Jan 8, 2025
BayMark publishes substitute notice on baymark.com
Jul 8, 2025
McCormick v. BayMark Health Services, Inc. filed in the U.S. District Court for the Eastern District of California (No. 1:25-cv-00811)
Sep 24, 2024
Unauthorized access to BayMark's network begins
Oct 11, 2024
BayMark detects IT system disruption and identifies the intrusion
Oct 14, 2024
Unauthorized access window ends; RansomHub later claims responsibility and posts stolen data
Nov 5, 2024
Forensic analysis of affected files completed
Jan 8, 2025
Patient notification letters mailed; HHS OCR breach report filed for 3,170 individuals
Jan 8, 2025
BayMark publishes substitute notice on baymark.com
Jul 8, 2025
McCormick v. BayMark Health Services, Inc. filed in the U.S. District Court for the Eastern District of California (No. 1:25-cv-00811)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
BayMark Health Services, Inc., headquartered in Lewisville, Texas, is North America’s largest provider of medication-assisted treatment (MAT) for opioid and other substance use disorders, operating more than 400 treatment sites across 35 U.S. states and three Canadian provinces and serving roughly 75,000 patients each day. Between September 24 and October 14, 2024, an unauthorized third party had access to BayMark’s network for approximately three weeks. The attack was claimed by the RansomHub ransomware-as-a-service group, which stated it exfiltrated about 1.5 TB of data and posted the files to its dark web leak site after BayMark declined to pay a ransom. BayMark filed its initial HHS Office for Civil Rights breach report on January 8, 2025, reporting 3,170 affected individuals. Multiple secondary reports indicate a follow-on disclosure raising the total to approximately 16,548 individuals; this page tracks the OCR-reported figure as the authoritative regulatory record.
Timeline
- September 24, 2024 — Unauthorized access to BayMark’s network begins.
- October 11, 2024 — BayMark detects an IT system disruption and identifies the intrusion.
- October 14, 2024 — Unauthorized access ends. RansomHub later claims responsibility and begins listing BayMark on its leak site.
- November 5, 2024 — Forensic analysis of the affected files is completed.
- January 8, 2025 — BayMark begins mailing patient notification letters and files its breach report with the HHS Office for Civil Rights for 3,170 individuals. A substitute notice is published at baymark.com.
- July 8, 2025 — McCormick v. BayMark Health Services, Inc., No. 1:25-cv-00811, is filed in the U.S. District Court for the Eastern District of California, seeking class certification on behalf of affected patients.
What was exposed
BayMark’s own notice and the corroborating press reporting describe the exposed records as containing, in varying combinations per individual:
- Patient name
- Date of birth
- Social Security number
- Driver’s license number or other state-issued ID number
- Health insurance information
- Services received and dates of service
- Name of treating provider
- Diagnostic and treatment information
Because the exfiltrated files include diagnostic and treatment information from a federally certified opioid treatment and substance use disorder program, the affected records fall within the scope of HIPAA and the separate confidentiality regime at 42 CFR Part 2.
Why this breach is especially sensitive: 42 CFR Part 2
42 CFR Part 2 is the federal confidentiality rule that protects records of patients who receive treatment from federally assisted substance use disorder (SUD) programs, which includes opioid treatment programs and the MAT clinics BayMark operates. Part 2 records receive a stricter standard than ordinary HIPAA-protected health information:
- The mere fact that a person is identified as a patient of a Part 2 program is itself protected. Re-disclosure without specific written consent is prohibited.
- Part 2 records may not be used in criminal proceedings against the patient without a court order meeting heightened criteria.
- Employers, insurers, family members, and law enforcement generally cannot access Part 2 records without the patient’s explicit, written, program-specific consent.
A leaked Part 2 record can therefore carry real-world consequences a generic medical record does not: loss of employment, denial of housing, custody disputes, immigration consequences, professional licensing risk, and stigma. Anyone whose BayMark record was exfiltrated should treat the disclosure as carrying both financial-identity and behavioral-health-disclosure risk.
What BayMark is offering
For individuals whose Social Security number or driver’s license number was involved, BayMark is offering 12 months of complimentary identity monitoring through Equifax. BayMark has also established a dedicated toll-free call center at 855-295-0995 (Monday–Friday, 8 a.m.–8 p.m. Central Time, excluding holidays) for questions about the incident.
Class-action litigation
At least one putative class action has been filed in federal court: McCormick v. BayMark Health Services, Inc., No. 1:25-cv-00811 in the U.S. District Court for the Eastern District of California. Multiple plaintiffs’ firms publicly announced investigations in the days after the January 2025 notification, including Edelson Lechtzin LLP, Federman & Sherwood, Strauss Borrelli PLLC, Levi & Korsinsky LLP, and The Lyon Firm.
What to do if you may be affected
- Freeze your credit at all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). It is free, reversible, and the single highest-leverage step against new-account identity theft. Driver’s license freezes through your state DMV are also worth doing if your license number was involved.
- Enroll in the Equifax identity monitoring BayMark is offering if you receive an enrollment code. It does not replace a credit freeze; use both.
- Watch for tax-refund fraud and benefits fraud. Social Security numbers from medical breaches are frequently used to file fraudulent tax returns and unemployment claims. File your federal return early and consider requesting an IRS Identity Protection PIN.
- Understand the 42 CFR Part 2 angle. If you are concerned that the disclosure of your status as a BayMark patient could affect employment, custody, immigration, or housing, consider consulting a healthcare-privacy attorney before responding to any third party that contacts you claiming knowledge of your treatment.
- Keep the notification letter. It documents your standing to participate in the pending class action and any future regulatory remedies.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- BayMark Health Services — Notice of Data Privacy Incident — the entity’s own substitute notice.
- HIPAA Journal — BayMark Health Services Notifies Patients About October Ransomware Attack
- BleepingComputer — Largest US addiction treatment provider notifies patients of data breach
- Malwarebytes Labs — BayMark Health Services sends breach notifications after ransomware attack
- The Register — Drug addiction treatment company fesses up to data theft
- McCormick v. BayMark Health Services, Inc., No. 1:25-cv-00811 (E.D. Cal.)
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- BayMark Health Services — Notice of Data Privacy Incident
- HIPAA Journal — BayMark Health Services Notifies Patients About October Ransomware Attack
- BleepingComputer — Largest US addiction treatment provider notifies patients of data breach
- Malwarebytes — BayMark sends breach notifications after ransomware attack
- The Register — Drug addiction treatment company fesses up to data theft
- McCormick v. BayMark Health Services, Inc., No. 1:25-cv-00811 (E.D. Cal.)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.