Active breach tracker CO Disclosed July 14, 2025

Clinica Family Health Services Data Breach 2025: 47,593 Affected · INC Ransom Attack on Post-Merger Mental Health Partners Network · CO FQHC. What To Do.

Clinica Family Health & Wellness — a Colorado Federally Qualified Health Center serving more than 60,000 mostly low-income and Spanish-speaking patients across Adams, Boulder, Broomfield, and Gilpin counties — disclosed a March 14, 2025 intrusion attributed to the INC Ransom group on the Mental Health Partners network it absorbed in October 2024. The HHS OCR filing on July 14, 2025 reports 47,593 affected. SSNs, driver's license numbers, diagnosis and treatment records are all in scope. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 1, 2024

Clinica Family Health and Mental Health Partners complete merger; MHP network integrated into Clinica operations

Mar 14, 2025

Intrusion detected on the Mental Health Partners environment; incident contained, external forensics engaged

Mar 14, 2025

Breach detected

Jul 14, 2025

Filed with HHS OCR — 47,593 affected, Hacking/IT Incident at Network Server

Jul 27, 2025

Substitute notice publicly posted; toll-free response line opened

Feb 23, 2026

Identification of impacted individuals and specific data elements completed; written notification letters mailed

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license / government-issued ID number

02

Health records

Don't expire and can't be reissued

Medical diagnosis or treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Address Health insurance information Financial information Other medical information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

The Lyon Firm (publicly investigating) Shamis & Gentile P.A. (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Clinica Family Health & Wellness — the Colorado Federally Qualified Health Center formed by the October 2024 merger of Clinica Family Health and Mental Health Partners — disclosed a ransomware intrusion on its post-merger Mental Health Partners network. The HHS OCR filing on July 14, 2025 reports 47,593 affected individuals in a Hacking/IT Incident at a Network Server. The INC Ransom group claimed the attack and posted sample screenshots to its dark-web leak site.

Timeline

  • October 2024. Clinica Family Health and Mental Health Partners (MHP) complete their merger. The MHP IT environment is integrated into Clinica’s operations.
  • March 14, 2025. Clinica detects an intrusion on the Mental Health Partners environment. The incident is contained the same day and external cybersecurity professionals are engaged.
  • July 14, 2025. HIPAA breach notification filed with HHS OCR. Federal record: 47,593 affected, Hacking/IT Incident, Network Server.
  • July 27, 2025. Substitute notice posted publicly. Confidential response line opened.
  • February 23, 2026. Identification of affected individuals and the specific data elements involved is completed. Individual notification letters begin going out by U.S. mail.

What was exposed

Per Clinica’s substitute notice, the potentially compromised information may have included any of the following:

  • Full name
  • Address
  • Date of birth
  • Social Security number
  • Driver’s license or other government-issued identification number
  • Medical diagnosis or treatment information
  • Health insurance information
  • Financial information
  • Other medical information

Forensic investigators stated there was “no evidence to indicate that data was removed” from the environment. INC Ransom’s leak-site post including sample screenshots argues otherwise, and Clinica conducted a full file-by-file review on that assumption.

A breach that lands on an especially vulnerable population

Clinica Family Health & Wellness is not an ordinary 47,000-patient breach. It is the safety-net provider for four Front Range counties — Adams, Boulder, Broomfield, and Gilpin — operating 14 community-based clinics with more than 900 employees and seeing over 60,000 patients per year.

  • Founded in 1977 by Alicia Sanchez to serve migrant farmworkers in south Boulder County
  • Approximately 50% of patients live at or below the federal poverty line
  • Around 30% of patients are minors
  • About 35% of patients (Clinica’s own figure) are served in a language other than English, predominantly Spanish

For mixed-status families, immigrant communities, and patients whose mental-health diagnoses, addiction-treatment records, or reproductive-care histories are now in scope, the exposure is not abstract. Driver’s license numbers and SSNs combined with diagnosis-level records create real risks of identity theft, insurance fraud, and, in the current enforcement climate, chilling effects on care-seeking.

Substance use disorder records: 42 CFR Part 2 applies

The breached Mental Health Partners environment included the 24/7 Walk-In Crisis & Addiction Services Center in Louisville, which provides withdrawal management, detox, intensive outpatient substance use care, and medication-assisted treatment (MAT). Records created in that program are protected not only by HIPAA but also by 42 CFR Part 2, the federal confidentiality law for substance use disorder treatment records.

Part 2 carries restrictions HIPAA does not. SUD treatment records in a Part 2 program cannot be disclosed in most civil or criminal proceedings without a court order, and re-disclosure by anyone who receives them is restricted. As of August 2025, HHS OCR holds civil enforcement authority over Part 2 violations, aligning civil penalty exposure with the HIPAA penalty structure. If your connection to Clinica or Mental Health Partners was for SUD services, you have stronger protection than a typical medical breach, and any unauthorized disclosure of those records may be actionable independently of the HIPAA framework.

Multi-state AG notifications

The breach notice was filed with at least 13 state attorneys general: California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington. That reach is unusual for a Colorado FQHC and reflects the mobile patient population MHP and Clinica served — including out-of-state students, traveling workers, and individuals who have since relocated. If you are a resident of any of those states, you may have additional notice and remedy rights under your state’s breach notification law.

What Clinica is offering

  • Dedicated toll-free response line: 1-855-983-5736, Monday through Friday 7 a.m. to 7 p.m. Mountain Time (excluding holidays)
  • Forensic investigation completed. Remediation and security uplift described in the substitute notice
  • Individual notification letters mailed beginning after the February 23, 2026 identification milestone

Clinica’s published notice does not itemize a specific complimentary credit-monitoring product. Instead, it points individuals to free fraud alerts and security freezes at the three major credit bureaus. Review your individual letter for any enrollment code and deadline that may apply to you.

Class-action posture

At least two plaintiff firms have announced public investigations:

  • The Lyon Firm is investigating the breach and offering free consultations to affected individuals.
  • Shamis & Gentile P.A. is collecting potential claimants.

No consolidated class action is publicly docketed as of this writing. The combination of (a) a delayed identification timeline (March 2025 detection to February 2026 individual-level identification), (b) SSN plus driver’s-license plus diagnosis exposure, and (c) a leak-site posting by a named ransomware group are the elements plaintiff firms typically build a complaint around.

What to do if you may be affected

  1. Place free credit freezes at Equifax, Experian, and TransUnion. Ten minutes per bureau, no cost, and it stops new credit being opened in your name.
  2. File IRS Form 14039 if your letter confirms SSN exposure, to flag your tax account against fraudulent return filing.
  3. Replace your driver’s license or state ID if your letter lists that number. The Colorado DMV will reissue with a new number on request when the original is implicated in a breach.
  4. Watch your Explanation of Benefits statements. Medical-identity theft typically shows up as services you did not receive billed to your insurance.
  5. If you received SUD or addiction services at Mental Health Partners, be aware that your records carry 42 CFR Part 2 protections in addition to HIPAA. Any unauthorized disclosure of those specific records can be reported directly to HHS OCR under Part 2 civil enforcement authority.
  6. Call Clinica’s response line (1-855-983-5736) Monday through Friday, 7 a.m. to 7 p.m. Mountain Time (excluding holidays), for questions and for the enrollment code for any credit-monitoring service Clinica is offering.
  7. Stop the ongoing flow of your treatment data. HealthConsent files HIPAA restriction requests so the diagnosis and treatment records exposed in this breach are not continuously re-shared across the healthcare networks that absorbed this data.

Sources on this page

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.