Behavioral Health Resources Data Breach 2025: 49,213 Patients Reported to HHS OCR (Later Updated to 50,083) in Olympia, WA Network Server Intrusion · $1.1M Class-Action Settlement
Behavioral Health Resources (Olympia, WA) detected unauthorized access to its network on November 20, 2024, filed an initial HIPAA breach report with HHS OCR on January 17, 2025 listing 49,213 affected individuals at a Network Server, and ultimately notified 50,083 current and former behavioral health and substance use disorder patients. The matter settled for $1.1 million in Walker et al. v. Behavioral Health Resources (Thurston County Superior Court).
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 20, 2024
BHR detects suspicious activity in its computer environment; unauthorized access to the network server confirmed
Nov 20, 2024
Internal containment and third-party forensic investigation begin
Jan 17, 2025
Initial HIPAA breach report filed with HHS OCR listing 49,213 affected individuals at a Network Server (interim figure pending completion of the data review)
Apr 17, 2025
Individual notification letters mailed to the revised final tally of 50,083 current and former patients
Apr 18, 2025
Substitute notice published and state attorney general filings completed (including Maine, with 4 affected residents)
Aug 25, 2025
Settlement agreement reached in Walker et al. v. Behavioral Health Resources (Case No. 25-2-00630-34), consolidating five putative class actions
Sep 12, 2025
Preliminary approval granted by Thurston County Superior Court; class notice program authorized
Oct 14, 2025
Settlement class notice mailed to affected individuals
Dec 13, 2025
Opt-out and objection deadline for class members
Jan 12, 2026
Claim submission deadline for the $1.1 million settlement fund
Feb 6, 2026
Final approval hearing scheduled in Thurston County Superior Court (9:00 a.m. PT, 2000 Lakeridge Drive SW, Bldg 2, Olympia, WA)
Nov 20, 2024
BHR detects suspicious activity in its computer environment; unauthorized access to the network server confirmed
Nov 20, 2024
Internal containment and third-party forensic investigation begin
Jan 17, 2025
Initial HIPAA breach report filed with HHS OCR listing 49,213 affected individuals at a Network Server (interim figure pending completion of the data review)
Apr 17, 2025
Individual notification letters mailed to the revised final tally of 50,083 current and former patients
Apr 18, 2025
Substitute notice published and state attorney general filings completed (including Maine, with 4 affected residents)
Aug 25, 2025
Settlement agreement reached in Walker et al. v. Behavioral Health Resources (Case No. 25-2-00630-34), consolidating five putative class actions
Sep 12, 2025
Preliminary approval granted by Thurston County Superior Court; class notice program authorized
Oct 14, 2025
Settlement class notice mailed to affected individuals
Dec 13, 2025
Opt-out and objection deadline for class members
Jan 12, 2026
Claim submission deadline for the $1.1 million settlement fund
Feb 6, 2026
Final approval hearing scheduled in Thurston County Superior Court (9:00 a.m. PT, 2000 Lakeridge Drive SW, Bldg 2, Olympia, WA)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Behavioral Health Resources (BHR), a community behavioral health and substance use disorder treatment provider headquartered in Olympia, Washington and serving Thurston, Mason, and Grays Harbor counties, detected suspicious activity in its network environment on November 20, 2024. A third-party forensic investigation confirmed that an unauthorized actor had accessed BHR systems and exfiltrated files containing protected health information from a Network Server. BHR filed an initial HIPAA breach report with HHS OCR on January 17, 2025 listing 49,213 affected individuals. After completing its review, the entity ultimately notified 50,083 current and former patients. The matter has since settled for $1.1 million in Walker et al. v. Behavioral Health Resources, with a final approval hearing set for February 6, 2026.
Timeline of what we know
- November 20, 2024. BHR identifies suspicious activity in its computer environment. Containment and a third-party forensic investigation begin the same day.
- January 17, 2025. BHR submits its initial HIPAA breach report to HHS OCR. The portal entry records 49,213 affected individuals, a Hacking/IT Incident at a Network Server, with the data review still ongoing.
- April 17, 2025. Individual notification letters are mailed to the revised final tally of 50,083 current and former patients. BHR stands up a dedicated assistance line.
- April 18, 2025. Substitute notice is posted and state attorney general filings are completed. Maine’s AG filing confirms 4 affected Maine residents.
- Early 2025. Five putative class-action complaints are filed in Thurston County Superior Court, including suits led by plaintiffs Carol Walker, Rebecca A. Campos, Adam Shotswell, Smukweshun Okena, and Kim Ridgway.
- August 25, 2025. A $1.1 million non-reversionary settlement is reached in the consolidated case, Walker et al. v. Behavioral Health Resources (Case No. 25-2-00630-34).
- September 12, 2025. The court grants preliminary approval of the settlement and authorizes the class notice program.
- October 14, 2025. Settlement class notice is mailed to affected individuals.
- December 13, 2025. Opt-out and objection deadline for class members.
- January 12, 2026. Claim submission deadline (online or postmarked).
- February 6, 2026. Final approval hearing in Thurston County Superior Court, 9:00 a.m. PT.
What was exposed
Per BHR’s notification letter, the substitute notice, and the Maine attorney general filing, the files accessed during the intrusion may have contained, depending on the individual:
- Full name (including maiden names) and date of birth
- Home address and contact information
- Social Security number
- Government-issued ID number and, in some cases, tribal ID number
- Financial account information (institution names, account numbers, taxpayer identification numbers)
- Medical records, including diagnoses, treatment information, lab results, medication data, and admission/discharge dates
- Behavioral health and substance use disorder treatment information
- Health insurance information, beneficiary numbers, and medical billing details
- Biometric and genetic information
- Full facial photographs
- Electronic signatures
Not every data element was present for every affected individual.
Why this exposure is especially sensitive: 42 CFR Part 2
BHR’s patient population includes adults and children receiving behavioral health care and substance use disorder (SUD) treatment. Records that identify a person as having sought or received SUD treatment from a federally assisted program are protected by 42 CFR Part 2, which is significantly stricter than HIPAA. Part 2 generally prohibits the use or disclosure of patient identifying information for criminal proceedings, custody disputes, employment decisions, or immigration proceedings without specific written consent or a Part 2 court order. The unauthorized disclosure of Part 2 records can carry independent civil and criminal penalties.
Exposure of behavioral health diagnoses and SUD treatment records also carries real-world harms that pure financial-fraud exposures do not. These include discrimination in employment, housing, child custody, and insurance underwriting; stigma in family and community relationships; and chilling effects on patients’ willingness to seek future treatment. Affected individuals should weigh the credit-monitoring steps below against the longer-tail privacy harms of their behavioral health information being in unknown hands.
What BHR is offering
BHR established a dedicated call center for affected individuals, available Monday through Friday during business hours. The notification letter directs affected individuals to enrollment instructions for complimentary credit monitoring and identity-protection services. Class members under the settlement are also eligible for three years of CyEx Medical Shield Total identity monitoring with $1 million in identity-theft insurance (covering healthcare insurance ID exposure, Medical Record Number exposure, and unauthorized Health Savings Account spending), in addition to:
- Up to $5,000 in reimbursement for documented out-of-pocket losses tied to the breach (covering losses between November 20, 2024 and January 12, 2026)
- Up to 5 hours of lost-time compensation at $25 per hour (maximum $125)
- An estimated $100 one-time pro-rata cash payment per claimant (no proof required)
The settlement fund of $1,100,000 is allocated after attorneys’ fees (up to $366,666.67), expenses (up to $25,000), and service awards ($2,500 each for five class representatives, totaling $12,500). Final per-claimant payment amounts depend on the volume of valid claims filed by January 12, 2026. Claims were submitted at BHRSettlement.com or mailed to the Settlement Administrator (Simpluris) at P.O. Box 25226, Santa Ana, CA 92799-9958.
Class-action and regulatory posture
Five putative class actions filed in Thurston County Superior Court were consolidated into Walker et al. v. Behavioral Health Resources (Case No. 25-2-00630-34). Plaintiffs alleged that BHR failed to implement reasonable cybersecurity safeguards, failed to encrypt protected health information at rest, and failed to timely notify affected patients. The complaints raised negligence, breach of implied contract, breach of fiduciary duty, and Washington Consumer Protection Act claims.
The parties reached a $1.1 million non-reversionary settlement on August 25, 2025. The court granted preliminary approval on September 12, 2025. Class notice was mailed on October 14, 2025. A final approval hearing was scheduled for February 6, 2026 before the Thurston County Superior Court.
Court-appointed class counsel are Kaleigh N. Boyd and Joan M. Pradhan of Tousley Brain Stephens PLLC and William B. Federman and Tanner R. Hilton of Federman & Sherwood. Strauss Borrelli PLLC was involved in the initial investigation. Settlement administration is handled by Simpluris; the court-approved settlement site is BHRSettlement.com (administrator: 1-833-417-4912 / [email protected]).
The HHS Office for Civil Rights breach investigation under the federal Breach Notification Rule remains open on the OCR portal; no public OCR enforcement action has been announced as of this writing.
What to do if you may be affected
Behavioral health and SUD records are among the most sensitive categories of PHI. Treat this as a high-severity exposure.
- Freeze your credit at all three bureaus. Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new-account fraud. This is the single highest-leverage step when SSNs are in play.
- The claim deadline (January 12, 2026) has passed. If you submitted a timely claim at BHRSettlement.com, watch for distribution instructions from Simpluris after the court resolves any post-approval appeals. If you missed the deadline, contact class counsel at Tousley Brain Stephens PLLC or Federman & Sherwood to ask whether late claims are being considered.
- Enroll in medical identity monitoring. If you filed a claim and the settlement is finalized, you will receive access to three years of CyEx Medical Shield Total. Separately, request copies of any Explanation of Benefits from your insurer and review them for services you did not receive. Report discrepancies to your insurer and to HHS OCR.
- Request an Identity Protection PIN (IP PIN) from the IRS at irs.gov/ippin. It is free and prevents fraudulent federal returns under your SSN.
- Be skeptical of unsolicited outreach. Threat actors often follow large breaches with targeted phishing using leaked identifiers. BHR will not ask for your full SSN or banking details by phone to “verify” your account.
- Know your 42 CFR Part 2 rights. If you are a current or former SUD patient, your treatment records are subject to Part 2 protections. If anyone (an employer, a court, a custody proceeding, or an immigration officer) references information that could only have come from your SUD treatment record, document it and consult a Washington healthcare-privacy attorney about a Part 2 enforcement action.
- Stop the ongoing flow of your behavioral health data. A settlement covers past harm; it does not stop BHR or its downstream partners from continuing to share your mental health and SUD treatment records across health-information networks. HealthConsent files HIPAA restriction requests so the behavioral-health and substance-use-disorder information exposed in this breach is not continuously re-shared with insurers, data brokers, and other covered entities.
Sources
- HHS Office for Civil Rights Breach Portal: the federal regulatory record of this breach, listing 49,213 affected individuals at a Network Server (Hacking/IT Incident, filed January 17, 2025).
- HIPAA Journal: Behavioral Health Resources Pays $1.1 Million to Settle Data Breach Lawsuit: settlement amount, claim deadlines, and consolidated case caption.
- DataBreaches.Net: Behavioral Health Resources of Washington state updates its data breach disclosure: confirms the revised affected count of 50,083 and the disclosure timeline.
- NetSec.News: Behavioral Health Resources Settles Data Breach Lawsuit for $1.1 Million: settlement structure, claim hearing date, and class-action history.
- Strauss Borrelli PLLC: Behavioral Health Resources Data Breach Investigation: detailed list of exposed data elements and entity background.
- ClassAction.org: Behavioral Health Resources Data Breach Lawsuit Investigation: named plaintiffs, consolidated case caption, and settlement benefit structure.
- ClassAction.org: $1.1M Behavioral Health Resources Settlement Ends Class Action Suit: preliminary approval date (September 12, 2025), case number 25-2-00630-34, and settlement class coverage.
- BHRSettlement.com (official court-approved settlement site): settlement fund structure, opt-out and objection deadlines, class counsel identities, and settlement administrator contact (Simpluris, 1-833-417-4912).
- BHRSettlement.com FAQ: full benefit details, CyEx Medical Shield Total enrollment terms, and case number.
- BHRSettlement.com Important Dates: confirms notification mailing of October 14, 2025 and claim deadline of January 12, 2026.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal: Behavioral Health Resources Pays $1.1 Million to Settle Data Breach Lawsuit
- DataBreaches.Net: Behavioral Health Resources of Washington state updates its data breach disclosure
- NetSec.News: Behavioral Health Resources Settles Data Breach Lawsuit for $1.1 Million
- Strauss Borrelli PLLC: Behavioral Health Resources Data Breach Investigation
- ClassAction.org: Behavioral Health Resources Data Breach Lawsuit Investigation
- ClassAction.org: $1.1M Behavioral Health Resources Settlement (settlement news, Sept 2025)
- BHRSettlement.com: Official settlement website (Simpluris, administrator)
- BHRSettlement.com FAQ: Case No. 25-2-00630-34, class counsel, benefit structure
- BHRSettlement.com Important Dates: notification mailing 10/14/2025, claim deadline 1/12/2026
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.