Active breach tracker MO Disclosed October 3, 2025

CareSTL Health, Inc. Data Breach 2025: 501 Affected · Cephalus Ransomware · MO FQHC. Filed With HHS OCR. What To Do.

CareSTL Health, Inc., a Federally Qualified Health Center serving roughly 30,000 patients across north St. Louis, filed a HIPAA breach notification with the HHS Office for Civil Rights on October 3, 2025, reporting 501 affected individuals from a network-server hacking incident. The Cephalus ransomware group claimed responsibility, alleging exfiltration of more than 500 GB of data.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jun 28, 2025

access

Aug 26, 2025

detected

Aug 26, 2025

Breach detected

Oct 3, 2025

filed

Oct 3, 2025

Disclosed publicly

Data exposed

03

Contact & insurance

Phishing + targeted scams

Network server contents (specific PHI elements not yet itemized in public filings) Cephalus leak-site post claims 500+ GB of exfiltrated data
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

CareSTL Health, Inc., a Federally Qualified Health Center (FQHC) serving roughly 30,000 patients across north St. Louis, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on October 3, 2025, reporting 501 individuals affected by a hacking/IT incident on a network server. The Cephalus ransomware group publicly claimed responsibility on its dark-web leak site on August 26, 2025, alleging it had exfiltrated more than 500 GB of data from the organization.

Timeline

  • June 28, 2025 — Estimated date of initial unauthorized access, based on the timestamp Cephalus operators attached to their leak-site post.
  • August 26, 2025 — Cephalus added CareSTL Health to its public victim list, advertising “500+GB” of stolen data and referencing the KAWA4096 encryption tooling the group uses on Go-based ransomware payloads delivered via stolen RDP credentials.
  • October 3, 2025 — CareSTL Health filed its HIPAA Breach Notification Rule report with HHS OCR: 501 affected individuals, network-server hacking/IT incident.

What was exposed

The OCR portal entry identifies the location of the compromised information as a network server and the incident type as a hacking/IT incident. CareSTL Health has not published a substitute notice itemizing specific data elements as of this writing, and individual notification letters are the most reliable source for that detail.

The Cephalus group claimed to have exfiltrated over 500 GB of data. Healthcare network-server intrusions at FQHCs typically expose some combination of names, dates of birth, addresses, Social Security numbers, medical record numbers, diagnoses and treatment information, and health insurance details. The specific elements that apply here will be listed in the notification letter sent to each affected individual.

A sensitive patient population

CareSTL Health is one of the principal safety-net providers in north St. Louis, serving a patient base that is disproportionately low-income, Medicaid-enrolled, and concentrated in some of the most economically distressed ZIP codes in Missouri. FQHC patient records frequently include sensitive medical histories — behavioral health, HIV/AIDS care, substance-use treatment, reproductive health — that carry heightened privacy concerns beyond the typical financial-fraud risk. For this population, a breach is not only an identity-theft risk; it is also a confidentiality breach with the potential for social and professional consequences if specific records were among those exfiltrated.

In the months following the breach, CareSTL temporarily closed several clinic locations in February 2026 over a payroll shortfall. Leadership cited a “perfect storm” that included the cyberattack, federal funding delays, and damage from the May 2025 tornado that struck the city’s north side. Patients who had received care during 2025 should not assume their records have been deleted or rendered inaccessible because of the closures — the OCR filing is the operative record-keeping obligation.

What CareSTL is offering

As of May 16, 2026, CareSTL Health has not publicly posted a substitute breach notice on its website, and no complimentary credit-monitoring or identity-protection offering has been disclosed in public filings. Affected individuals should look for a notification letter mailed to the address on file. If you received care from CareSTL during 2024 or 2025 and have moved, contact the organization to confirm your mailing address.

Class-action status

No class-action complaints against CareSTL Health, Inc. arising from this breach have been located in public dockets as of May 16, 2026. Given the small size of the OCR filing (501 individuals), the financial fragility of the organization, and its FQHC status, the litigation landscape here is uncertain. We will update this page if filings appear.

What to do if you may be affected

  • Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and is the single highest-leverage step against new-account identity theft.
  • Watch your mail for a notification letter from CareSTL Health. Read it carefully — it should list the specific data elements involved and any complimentary credit-monitoring or identity-protection services being offered.
  • Review Explanation of Benefits statements from Medicaid and any other insurer for unfamiliar charges or providers. Medical-identity fraud often appears here first.
  • Be alert for targeted phishing. Attackers who exfiltrate FQHC data sometimes use it to craft convincing follow-on scams — fake “breach response” calls, fake Medicaid recertification notices, fake pharmacy refill alerts.
  • Bookmark this page. We update it as the entity’s notification letter, state attorney general filings, or court records become public.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.