Active breach tracker Ann Arbor, MI Disclosed January 9, 2026

CNLD Neuropsychology Data Breach 2026 (Qilin Ransomware): 3,722 Michigan Pediatric Patients Exposed. 150 GB Claimed. What To Do

The Center for Neuropsychology, Learning & Development (CNLD), an Ann Arbor, Michigan practice serving children, teens, and adults for ADHD, autism, and learning disability testing, was attacked by the Qilin ransomware group in October 2025. The group claims 150 GB exfiltrated. Names, contact information, dates of birth, medical and therapy records, insurance, and billing data for 3,722 patients exposed. Pediatric mental-health records are particularly sensitive. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 30, 2025

Qilin lists CNLD on dark-web leak site

Oct 30, 2025

Attacker gained access

Oct 30, 2025

Breach detected

Jan 9, 2026

HHS OCR filing

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

IQ / WISC / WAIS results, ADHD/ASD/learning-disability diagnoses (inferred)

03

Contact & insurance

Phishing + targeted scams

Full name Contact information Medical / therapy records Insurance / billing information Employee / HR data Pediatric neuropsychological test protocols and raw scores (inferred from practice profile)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Siri & Glimstad LLP (investigation noted; status: closed)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

The Center for Neuropsychology and Learning, PC — known as CNLD Neuropsychology — is an Ann Arbor, Michigan practice founded around 1995 by Dr. Roger Lauer. The practice has approximately 15 clinicians serving children, teens, adults, families, and geriatric patients across ADHD, autism spectrum disorder, learning disabilities (dyslexia, dyscalculia, dysgraphia), anxiety, depression, bipolar disorder, dementia and memory impairment, executive function, and trauma/PTSD.

A vulnerable pediatric population is core to CNLD’s book of business — neuropsychological testing is used for special-education advocacy, IEP and 504 plan support, and developmental diagnosis.

On October 30, 2025, the Qilin ransomware group (also known as Agenda) posted CNLD to its dark-web leak site with the standard threat: “The full leak will be published soon, unless a company representative contacts us via the channels provided.” Multiple ransomware trackers concur on this date. Qilin is a Russian-linked ransomware-as-a-service group that was the most active ransomware family in October 2025.

CNLD filed with HHS OCR on January 9, 2026 — confirming 3,722 affected individuals. The 71-day gap between the public leak-site listing and the OCR filing is consistent with a late-October intrusion and the ~60-day HIPAA notification clock.

Qilin claims approximately 150 GB exfiltrated per BreachSense reporting.

Why pediatric neuropsychological records are uniquely sensitive

CNLD’s exposed records likely include some of the most stigmatizing categories of PHI:

  • Pediatric neuropsychological test protocols and raw scores (WISC, WIAT, WAIS)
  • IQ scores tied to identifiable children
  • ADHD, ASD, and specific learning disability diagnoses
  • Psychotherapy notes
  • School records and IEP / 504 documentation

These records can follow a child through school placement, college admissions, military eligibility, and adult employment background checks. Exposure of childhood cognitive testing data has effectively permanent reputational consequences.

What was stolen

Per BreachSense aggregation (entity has not posted a notice on cnld.org as of mid-May 2026):

  • Full name
  • Contact information
  • Date of birth
  • Medical / therapy records
  • Insurance / billing information
  • Employee / HR data

SSN exposure is not confirmed in public reporting — read your specific notification letter carefully.

What CNLD is offering

As of mid-May 2026, CNLD has not posted a security-incident page or breach notice on cnld.org. Credit-monitoring vendor and call center information are not located in public sources. No notification letter copy has been published via Maine AG, California AG, Massachusetts AG, or Vermont AG portals.

If you receive a CNLD notification letter, the letter will list what is being offered.

A class-action investigation was opened by Siri & Glimstad LLP and is now marked as “Investigation Closed” — this could indicate declination, settlement, or migration to a filed complaint. No federal docket has been located.

What to do

  1. Call CNLD at the number listed on cnld.org (734-994-9466) and ask whether they have mailed a substitute notice and what monitoring is offered.
  2. Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
  3. If your child was a CNLD patient, freeze their credit at all three bureaus (minors require manual outreach with proof of guardianship). Pediatric records create long-tail synthetic-identity-theft risk.
  4. Document any future surfacing of childhood test scores or diagnoses — Qilin’s “publish-or-pay” posture means exfiltrated data may circulate over time.
  5. Stop the ongoing flow of your neuropsychological and mental-health data. HealthConsent files HIPAA restriction requests so the pediatric testing, diagnostic, and psychotherapy data exposed in this breach is not continuously re-shared.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.