Central District Health Department of Nebraska Data Breach 2025: 58,519 Affected · Medusa Ransomware · 84 GB Exfiltrated
Central District Health Department of Nebraska, the public health agency serving Hall, Hamilton, and Merrick Counties from Grand Island, confirmed a February 2025 network intrusion in which the Medusa ransomware group exfiltrated approximately 84 GB of data and posted it to a dark-web leak site. Names, dates of birth, Social Security numbers, and protected health information for 58,519 individuals were exposed.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 1, 2025
Unauthorized party accesses CDHD network environment; CDHD takes immediate steps to secure the network and engages third-party forensic incident response firm
Feb 1, 2025
Breach detected
Feb 12, 2025
Medusa ransomware group lists CDHD on its dark-web leak site; reported data leakage of approximately 84.40 GB with a $320,000 ransom demand
Apr 1, 2025
HIPAA breach notification filed with the HHS Office for Civil Rights reporting 58,519 affected individuals (Hacking/IT Incident, Network Server)
Jun 26, 2025
Forensic and document review of potentially impacted data is completed
Jul 14, 2025
CDHD publishes substitute notice and begins mailing individual notification letters; 12 months of complimentary credit monitoring and identity-theft protection offered
Jul 14, 2025
Disclosed publicly
Feb 1, 2025
Unauthorized party accesses CDHD network environment; CDHD takes immediate steps to secure the network and engages third-party forensic incident response firm
Feb 1, 2025
Breach detected
Feb 12, 2025
Medusa ransomware group lists CDHD on its dark-web leak site; reported data leakage of approximately 84.40 GB with a $320,000 ransom demand
Apr 1, 2025
HIPAA breach notification filed with the HHS Office for Civil Rights reporting 58,519 affected individuals (Hacking/IT Incident, Network Server)
Jun 26, 2025
Forensic and document review of potentially impacted data is completed
Jul 14, 2025
CDHD publishes substitute notice and begins mailing individual notification letters; 12 months of complimentary credit monitoring and identity-theft protection offered
Jul 14, 2025
Disclosed publicly
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Central District Health Department of Nebraska (CDHD) is the local public health agency serving Hall, Hamilton, and Merrick Counties from its main office at 1137 S Locust St in Grand Island. According to its 2024-2025 Annual Report, CDHD employs 47 staff and serves approximately 79,563 residents across its three-county district. Its programs include immunization clinics (18,300 vaccinations administered in the most recent reporting year), communicable-disease control, WIC nutrition services, environmental health, and behavioral health outreach. The department also operates a school-age lead-screening program and an air-quality monitoring network. Because CDHD holds public health records spanning its entire service population, a network intrusion affects a broad cross-section of residents: patients who received vaccinations, individuals in communicable-disease surveillance programs, WIC participants, and clients of environmental-health inspections.
An unauthorized party accessed CDHD’s network environment on February 1, 2025. CDHD immediately engaged a specialized third-party forensic incident response firm and took steps to secure the network. Approximately eleven days later, on February 12, 2025 at 23:39 UTC, the Medusa ransomware group listed CDHD on its dark-web leak site, claiming roughly 84.40 GB of exfiltrated data and demanding a $320,000 ransom. Medusa is a Ransomware-as-a-Service (RaaS) group that employs a double-extortion model: it both encrypts victim systems and threatens to publish stolen data unless paid. The FBI and CISA jointly issued a StopRansomware advisory on Medusa in March 2025, noting the group had compromised more than 300 organizations across critical infrastructure sectors, including healthcare, as of February 2025.
The forensic and document review concluded on June 26, 2025. CDHD determined that personal and protected health information for 58,519 individuals had been potentially acquired. A substitute notice was published on cdhd.ne.gov and individual notification letters began mailing on July 14, 2025. The HHS Office for Civil Rights breach filing is dated April 1, 2025, and classifies the event as a Hacking/IT Incident affecting a Network Server. The Medusa leak-site entry remains indexed on ransomware tracking platforms, indicating the exfiltrated archive was made available to threat actors regardless of whether the ransom was paid.
What was stolen
According to CDHD’s substitute notice, the data elements potentially affected vary by individual and include:
- First name and last name
- Date of birth
- Social Security number
- Protected health information (PHI)
CDHD has not publicly enumerated the specific PHI sub-categories (for example, diagnosis codes, immunization records, treatment details, or insurance identifiers). Given the breadth of CDHD’s programs, records at risk may span communicable-disease surveillance, immunization histories, WIC enrollment data, and environmental-health case files, but this is contextual inference, not confirmed disclosure. Rely on the data elements listed in your individual notification letter for the confirmed facts about your record.
What CDHD is offering
CDHD is offering affected individuals 12 months of complimentary credit monitoring and identity-theft protection services at no cost. Enrollment instructions are included in the individual notification letters.
CDHD has established a dedicated incident-response phone line:
- Phone: 1-833-380-5601
- Hours: Monday through Friday, 8:00 a.m. to 8:00 p.m. ET (excluding U.S. holidays)
CDHD’s notice states: “CDHD has no reason to believe that any individual’s information has been misused as a result of this event.” That statement does not change the fact that the data was published on a ransomware leak site and made available to threat actors.
Class actions and regulatory posture
No class-action lawsuit specifically captioned against Central District Health Department of Nebraska has been publicly reported in the sources reviewed as of this page’s last update.
One Nebraska-specific legal development is worth noting. Nebraska Governor Jim Pillen signed Legislative Bill 241 (LB241) on March 17, 2025, which limits class-action liability for cybersecurity events against private entities to cases involving willful, wanton, or gross negligence. However, LB241 expressly covers only private entities. CDHD is a government agency, so LB241 does not provide it class-action immunity. Standard common-law negligence standards would apply to any civil claims brought against a public health department in Nebraska.
The HHS OCR breach-portal entry remains in open / under-investigation status. The Nebraska Attorney General’s office tracks data-breach activity; any CDHD-related state enforcement filings would surface at ago.nebraska.gov if and when opened.
What to do
- Enroll in the offered credit monitoring. Use the enrollment code included in your CDHD notification letter and activate it at the vendor portal identified in the letter. The 12-month window applies from the enrollment deadline, not from today.
- Freeze your credit at all three bureaus: Equifax, Experian, and TransUnion. Social Security numbers were exposed and the data was confirmed posted to a ransomware leak site. A freeze is free, reversible, and materially stronger protection than monitoring alone.
- File for an IRS Identity Protection PIN (Form 15227, or online at irs.gov/ippin). This is one of the strongest available defenses against tax-refund fraud from a stolen SSN.
- Watch for medical identity theft. Review every Explanation of Benefits statement from your health insurer and any Medicare Summary Notice. The higher-impact downstream harm from a public-health-department breach is fraudulent medical claims billed in your name, not just credit-card fraud.
- Be alert to targeted phishing. Threat actors holding your name, date of birth, Social Security number, and Grand Island / CDHD context can craft convincing impersonation calls or emails referencing your health department interactions. Verify any inbound contact independently before providing information or clicking links.
- Call 1-833-380-5601 with case-specific questions. Have your notification letter ready when you call.
- Stop the ongoing flow of your public health records. HealthConsent files HIPAA restriction requests so the health and demographic data exposed in this breach is not continuously re-shared across health information exchanges and insurance networks.
Continue reading
- Your HIPAA Rights — how to request restrictions on disclosures of your health information
- All tracked breaches — full index of healthcare data breach pages on HealthConsent
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Central District Health Department — Notice of Data Security Incident (substitute notice)
- HHS Office for Civil Rights Breach Portal
- RedPacket Security — [MEDUSA] Ransomware Victim: Central District Health Department
- Cybernews — Medusa ransom gang claims City of Aurora, Nebraska (CDHD leak attribution)
- Nebraska Attorney General — Office of the Attorney General
- CISA / FBI — StopRansomware: Medusa Ransomware (advisory background)
- Ransomware.live — Victim: Central District Health Department (Medusa, discovered 2025-02-12)
- Breachsense — Central District Health Department Data Breach in 2025
- Nebraska Legislature — Legislative Bill 241 (LB241), cybersecurity class-action immunity for private entities
- CDHD 2024-2025 Annual Report — Nebraska Legislature submission (entity profile, service area)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.