CareSTL Health, Inc. Data Breach 2025: 501 Affected · Cephalus Ransomware · MO FQHC. Filed With HHS OCR. What To Do.
CareSTL Health, Inc., a Federally Qualified Health Center serving roughly 30,000 patients across north St. Louis, filed a HIPAA breach notification with the HHS Office for Civil Rights on October 3, 2025, reporting 501 affected individuals from a network-server hacking incident. The Cephalus ransomware group claimed responsibility, alleging exfiltration of more than 500 GB of data.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jun 28, 2025
access
Aug 26, 2025
detected
Aug 26, 2025
Breach detected
Oct 3, 2025
filed
Oct 3, 2025
Disclosed publicly
Jun 28, 2025
access
Aug 26, 2025
detected
Aug 26, 2025
Breach detected
Oct 3, 2025
filed
Oct 3, 2025
Disclosed publicly
Data exposed
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
CareSTL Health, Inc., a Federally Qualified Health Center (FQHC) serving roughly 30,000 patients across north St. Louis, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on October 3, 2025, reporting 501 individuals affected by a hacking/IT incident on a network server. The Cephalus ransomware group publicly claimed responsibility on its dark-web leak site on August 26, 2025, alleging it had exfiltrated more than 500 GB of data from the organization.
Timeline
- June 28, 2025 — Estimated date of initial unauthorized access, based on the timestamp Cephalus operators attached to their leak-site post.
- August 26, 2025 — Cephalus added CareSTL Health to its public victim list, advertising “500+GB” of stolen data and referencing the KAWA4096 encryption tooling the group uses on Go-based ransomware payloads delivered via stolen RDP credentials.
- October 3, 2025 — CareSTL Health filed its HIPAA Breach Notification Rule report with HHS OCR: 501 affected individuals, network-server hacking/IT incident.
What was exposed
The OCR portal entry identifies the location of the compromised information as a network server and the incident type as a hacking/IT incident. CareSTL Health has not published a substitute notice itemizing specific data elements as of this writing, and individual notification letters are the most reliable source for that detail.
The Cephalus group claimed to have exfiltrated over 500 GB of data. Healthcare network-server intrusions at FQHCs typically expose some combination of names, dates of birth, addresses, Social Security numbers, medical record numbers, diagnoses and treatment information, and health insurance details. The specific elements that apply here will be listed in the notification letter sent to each affected individual.
A sensitive patient population
CareSTL Health is one of the principal safety-net providers in north St. Louis, serving a patient base that is disproportionately low-income, Medicaid-enrolled, and concentrated in some of the most economically distressed ZIP codes in Missouri. FQHC patient records frequently include sensitive medical histories — behavioral health, HIV/AIDS care, substance-use treatment, reproductive health — that carry heightened privacy concerns beyond the typical financial-fraud risk. For this population, a breach is not only an identity-theft risk; it is also a confidentiality breach with the potential for social and professional consequences if specific records were among those exfiltrated.
In the months following the breach, CareSTL temporarily closed several clinic locations in February 2026 over a payroll shortfall. Leadership cited a “perfect storm” that included the cyberattack, federal funding delays, and damage from the May 2025 tornado that struck the city’s north side. Patients who had received care during 2025 should not assume their records have been deleted or rendered inaccessible because of the closures — the OCR filing is the operative record-keeping obligation.
What CareSTL is offering
As of May 16, 2026, CareSTL Health has not publicly posted a substitute breach notice on its website, and no complimentary credit-monitoring or identity-protection offering has been disclosed in public filings. Affected individuals should look for a notification letter mailed to the address on file. If you received care from CareSTL during 2024 or 2025 and have moved, contact the organization to confirm your mailing address.
Class-action status
No class-action complaints against CareSTL Health, Inc. arising from this breach have been located in public dockets as of May 16, 2026. Given the small size of the OCR filing (501 individuals), the financial fragility of the organization, and its FQHC status, the litigation landscape here is uncertain. We will update this page if filings appear.
What to do if you may be affected
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and is the single highest-leverage step against new-account identity theft.
- Watch your mail for a notification letter from CareSTL Health. Read it carefully — it should list the specific data elements involved and any complimentary credit-monitoring or identity-protection services being offered.
- Review Explanation of Benefits statements from Medicaid and any other insurer for unfamiliar charges or providers. Medical-identity fraud often appears here first.
- Be alert for targeted phishing. Attackers who exfiltrate FQHC data sometimes use it to craft convincing follow-on scams — fake “breach response” calls, fake Medicaid recertification notices, fake pharmacy refill alerts.
- Bookmark this page. We update it as the entity’s notification letter, state attorney general filings, or court records become public.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- Ransomware.live — Cephalus group profile — threat-intelligence database tracking the Cephalus group’s victims, tactics, and KAWA4096 encryption tooling.
- HookPhish — Ransomware Group Cephalus Hits CareSTL Health — leak-site posting details, attack date, and exfiltration claim.
- St. Louis Public Radio — St. Louis community health center CareSTL closes abruptly amid payroll issues — local coverage of the February 2026 closures and the role of the cyberattack in the organization’s cash-flow crisis.
- Hoodline — CareSTL Health Clinics in St. Louis Temporarily Shut Down Amid Financial Struggles and Cyberattack Fallout — additional reporting on the closures and contributing factors.
- First Alert 4 — CareSTL Health closes temporarily amid payroll issues, patients left without medication — patient-impact reporting from the February 2026 closures.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Ransomware.live — Cephalus group profile
- HookPhish — Cephalus Hits CareSTL Health
- St. Louis Public Radio — CareSTL closes abruptly amid payroll issues
- Hoodline — CareSTL Clinics Shut Down Amid Financial Struggles and Cyberattack Fallout
- First Alert 4 — CareSTL Health closes temporarily amid payroll issues
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.