Clinica Family Health Services Data Breach 2025: 47,593 Affected · INC Ransom Attack on Post-Merger Mental Health Partners Network · CO FQHC. What To Do.
Clinica Family Health & Wellness — a Colorado Federally Qualified Health Center serving more than 60,000 mostly low-income and Spanish-speaking patients across Adams, Boulder, Broomfield, and Gilpin counties — disclosed a March 14, 2025 intrusion attributed to the INC Ransom group on the Mental Health Partners network it absorbed in October 2024. The HHS OCR filing on July 14, 2025 reports 47,593 affected. SSNs, driver's license numbers, diagnosis and treatment records are all in scope. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 1, 2024
Clinica Family Health and Mental Health Partners complete merger; MHP network integrated into Clinica operations
Mar 14, 2025
Intrusion detected on the Mental Health Partners environment; incident contained, external forensics engaged
Mar 14, 2025
Breach detected
Jul 14, 2025
Filed with HHS OCR — 47,593 affected, Hacking/IT Incident at Network Server
Jul 27, 2025
Substitute notice publicly posted; toll-free response line opened
Feb 23, 2026
Identification of impacted individuals and specific data elements completed; written notification letters mailed
Oct 1, 2024
Clinica Family Health and Mental Health Partners complete merger; MHP network integrated into Clinica operations
Mar 14, 2025
Intrusion detected on the Mental Health Partners environment; incident contained, external forensics engaged
Mar 14, 2025
Breach detected
Jul 14, 2025
Filed with HHS OCR — 47,593 affected, Hacking/IT Incident at Network Server
Jul 27, 2025
Substitute notice publicly posted; toll-free response line opened
Feb 23, 2026
Identification of impacted individuals and specific data elements completed; written notification letters mailed
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Clinica Family Health & Wellness — the Colorado Federally Qualified Health Center formed by the October 2024 merger of Clinica Family Health and Mental Health Partners — disclosed a ransomware intrusion on its post-merger Mental Health Partners network. The HHS OCR filing on July 14, 2025 reports 47,593 affected individuals in a Hacking/IT Incident at a Network Server. The INC Ransom group claimed the attack and posted sample screenshots to its dark-web leak site.
Timeline
- October 2024. Clinica Family Health and Mental Health Partners (MHP) complete their merger. The MHP IT environment is integrated into Clinica’s operations.
- March 14, 2025. Clinica detects an intrusion on the Mental Health Partners environment. The incident is contained the same day and external cybersecurity professionals are engaged.
- July 14, 2025. HIPAA breach notification filed with HHS OCR. Federal record: 47,593 affected, Hacking/IT Incident, Network Server.
- July 27, 2025. Substitute notice posted publicly. Confidential response line opened.
- February 23, 2026. Identification of affected individuals and the specific data elements involved is completed. Individual notification letters begin going out by U.S. mail.
What was exposed
Per Clinica’s substitute notice, the potentially compromised information may have included any of the following:
- Full name
- Address
- Date of birth
- Social Security number
- Driver’s license or other government-issued identification number
- Medical diagnosis or treatment information
- Health insurance information
- Financial information
- Other medical information
Forensic investigators stated there was “no evidence to indicate that data was removed” from the environment. INC Ransom’s leak-site post including sample screenshots argues otherwise, and Clinica conducted a full file-by-file review on that assumption.
A breach that lands on an especially vulnerable population
Clinica Family Health & Wellness is not an ordinary 47,000-patient breach. It is the safety-net provider for four Front Range counties — Adams, Boulder, Broomfield, and Gilpin — operating 14 community-based clinics with more than 900 employees and seeing over 60,000 patients per year.
- Founded in 1977 by Alicia Sanchez to serve migrant farmworkers in south Boulder County
- Approximately 50% of patients live at or below the federal poverty line
- Around 30% of patients are minors
- About 35% of patients (Clinica’s own figure) are served in a language other than English, predominantly Spanish
For mixed-status families, immigrant communities, and patients whose mental-health diagnoses, addiction-treatment records, or reproductive-care histories are now in scope, the exposure is not abstract. Driver’s license numbers and SSNs combined with diagnosis-level records create real risks of identity theft, insurance fraud, and, in the current enforcement climate, chilling effects on care-seeking.
Substance use disorder records: 42 CFR Part 2 applies
The breached Mental Health Partners environment included the 24/7 Walk-In Crisis & Addiction Services Center in Louisville, which provides withdrawal management, detox, intensive outpatient substance use care, and medication-assisted treatment (MAT). Records created in that program are protected not only by HIPAA but also by 42 CFR Part 2, the federal confidentiality law for substance use disorder treatment records.
Part 2 carries restrictions HIPAA does not. SUD treatment records in a Part 2 program cannot be disclosed in most civil or criminal proceedings without a court order, and re-disclosure by anyone who receives them is restricted. As of August 2025, HHS OCR holds civil enforcement authority over Part 2 violations, aligning civil penalty exposure with the HIPAA penalty structure. If your connection to Clinica or Mental Health Partners was for SUD services, you have stronger protection than a typical medical breach, and any unauthorized disclosure of those records may be actionable independently of the HIPAA framework.
Multi-state AG notifications
The breach notice was filed with at least 13 state attorneys general: California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington. That reach is unusual for a Colorado FQHC and reflects the mobile patient population MHP and Clinica served — including out-of-state students, traveling workers, and individuals who have since relocated. If you are a resident of any of those states, you may have additional notice and remedy rights under your state’s breach notification law.
What Clinica is offering
- Dedicated toll-free response line: 1-855-983-5736, Monday through Friday 7 a.m. to 7 p.m. Mountain Time (excluding holidays)
- Forensic investigation completed. Remediation and security uplift described in the substitute notice
- Individual notification letters mailed beginning after the February 23, 2026 identification milestone
Clinica’s published notice does not itemize a specific complimentary credit-monitoring product. Instead, it points individuals to free fraud alerts and security freezes at the three major credit bureaus. Review your individual letter for any enrollment code and deadline that may apply to you.
Class-action posture
At least two plaintiff firms have announced public investigations:
- The Lyon Firm is investigating the breach and offering free consultations to affected individuals.
- Shamis & Gentile P.A. is collecting potential claimants.
No consolidated class action is publicly docketed as of this writing. The combination of (a) a delayed identification timeline (March 2025 detection to February 2026 individual-level identification), (b) SSN plus driver’s-license plus diagnosis exposure, and (c) a leak-site posting by a named ransomware group are the elements plaintiff firms typically build a complaint around.
What to do if you may be affected
- Place free credit freezes at Equifax, Experian, and TransUnion. Ten minutes per bureau, no cost, and it stops new credit being opened in your name.
- File IRS Form 14039 if your letter confirms SSN exposure, to flag your tax account against fraudulent return filing.
- Replace your driver’s license or state ID if your letter lists that number. The Colorado DMV will reissue with a new number on request when the original is implicated in a breach.
- Watch your Explanation of Benefits statements. Medical-identity theft typically shows up as services you did not receive billed to your insurance.
- If you received SUD or addiction services at Mental Health Partners, be aware that your records carry 42 CFR Part 2 protections in addition to HIPAA. Any unauthorized disclosure of those specific records can be reported directly to HHS OCR under Part 2 civil enforcement authority.
- Call Clinica’s response line (1-855-983-5736) Monday through Friday, 7 a.m. to 7 p.m. Mountain Time (excluding holidays), for questions and for the enrollment code for any credit-monitoring service Clinica is offering.
- Stop the ongoing flow of your treatment data. HealthConsent files HIPAA restriction requests so the diagnosis and treatment records exposed in this breach are not continuously re-shared across the healthcare networks that absorbed this data.
Sources on this page
- Clinica Family Health & Wellness — Notice of Data Security Incident. The entity’s own substitute notice (data elements, response line, hours, New Mexico resident rights notice).
- Clinica Family Health & Wellness — Locations. Walk-In Crisis & Addiction Services Center services (withdrawal management, detox, intensive outpatient SUD care, MAT), confirming 42 CFR Part 2 program status.
- HIPAA Journal — Florida & Colorado Mental Health Clinics Data Breach. Trade-press coverage including INC Ransom attribution and data elements.
- BizWest — Clinica Family Health & Wellness reveals 2025 data breach. Regional business press reporting on disclosure.
- BeyondMachines — INC RANSOM claims compromise of mental health data at Clinica Family Health & Wellness. Threat-intelligence coverage of INC Ransom’s dark-web leak-site posting.
- Healthcare Facilities Today — Clinica Family Health Reports Data Breach. Trade publication coverage (August 5, 2025).
- The Lyon Firm — Clinica Family Health Data Breach Investigation. Plaintiff-firm investigation page confirming INC Ransom attribution and the post-merger network context.
- ClaimDepot — Clinica Family Health Data Breach Lawsuit Investigation. State AG filing list (13 states), data-element list.
- Clinica Family Health & Wellness — About Us. FQHC profile, patient demographics, counties served.
- HHS Office for Civil Rights Breach Portal. The federal regulatory record of this breach (47,593 affected, Hacking/IT Incident, Network Server, July 14, 2025).
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Clinica Family Health & Wellness: Notice of Data Security Incident
- HIPAA Journal: Florida & Colorado Mental Health Clinics Data Breach
- BizWest: Clinica Family Health & Wellness reveals 2025 data breach
- The Lyon Firm: Clinica Family Health Data Breach Investigation
- ClaimDepot: Clinica Family Health Data Breach Lawsuit Investigation (includes state AG filing list)
- Clinica Family Health & Wellness: About Us (FQHC profile)
- Clinica Family Health & Wellness: Locations (Walk-In Crisis & Addiction Services Center — SUD/MAT services)
- BeyondMachines: INC RANSOM claims compromise of mental health data at Clinica Family Health & Wellness
- Healthcare Facilities Today: Clinica Family Health Reports Data Breach (August 2025)
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.