Active breach tracker OH Disclosed February 10, 2025

Columbus Division of Fire Data Breach 2025: 736 Affected · Hacking/IT Incident · OH. Filed With HHS OCR. What To Do.

The City of Columbus identified protected health information from a Division of Fire database among the data stolen in the July 2024 Rhysida ransomware attack on city systems. The city filed a HIPAA breach notification with HHS OCR on February 10, 2025, reporting 736 affected individuals, and began mailing letters offering two years of free Experian credit and dark-web monitoring with $1M identity-theft insurance.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jul 18, 2024

access

Dec 12, 2024

detected

Dec 12, 2024

Breach detected

Feb 10, 2025

filed

Feb 10, 2025

notified

Feb 10, 2025

Disclosed publicly

Oct 1, 2025

class-action

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number (a very small subset of records)

02

Health records

Don't expire and can't be reissued

Brief clinical notes about emergency medical services provided at fire/EMS calls

03

Contact & insurance

Phishing + targeted scams

First and last name Address Date of EMS service
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

The City of Columbus identified protected health information from a Columbus Division of Fire database among the data stolen in the July 18, 2024 Rhysida ransomware attack against the city. The city formally filed the HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on February 10, 2025, reporting 736 affected individuals in a Hacking/IT Incident event at Network Server.

The Division of Fire is the EMS-providing arm of city government, and the records involved came from dispatch and incident-report systems that contain brief clinical notes about emergency medical services delivered at fire and EMS calls.

Timeline

  • July 18, 2024 — Rhysida threat actors gained access to City of Columbus IT systems and exfiltrated roughly 6.5 TB of data, including server dumps, employee credentials, and city databases.
  • August 2024 — Rhysida attempted to auction the stolen data for ~30 BTC on its dark-web leak site; after the auction failed, the group dumped approximately 3.1 TB publicly.
  • December 12, 2024 — Through ongoing review of the leaked data, the city identified a Division of Fire database containing what qualifies as protected health information under HIPAA.
  • February 10, 2025 — The city filed the breach with HHS OCR (736 individuals) and began mailing notification letters and publishing substitute notice.
  • October 1, 2025 — A consolidated class action against the City of Columbus over the broader Rhysida cyberattack was dismissed on political-subdivision immunity grounds.

What was exposed

According to the City of Columbus PHI Notification page and the city’s news release, the PHI elements involved for affected individuals may include:

  • First and last name
  • Address
  • Date of birth
  • Date of EMS service
  • Brief notes on the emergency medical service provided at the fire/EMS call
  • A very small subset of records also contained Social Security numbers

Why EMS-source PHI matters more than ordinary records

EMS run-sheet data is among the more sensitive categories of clinical information. A single brief note on a Division of Fire dispatch record can reveal an overdose, a domestic violence response, a mental health crisis, a pregnancy complication, or a chronic condition treated in the field. Unlike a routine clinical encounter recorded in a doctor’s office, an EMS record also discloses the address where the emergency occurred and the date and time of the response, which together make re-identification trivial even when other identifiers are minimized.

For the 736 individuals whose information was identified in this database, the combination of name + address + DOB + date-of-service + a clinical note is enough to support targeted phishing, insurance-fraud impersonation, or extortion attempts referencing the specific incident. Households where a Division of Fire response could be embarrassing or dangerous if disclosed (e.g., domestic violence calls, substance-use responses, mental health holds) bear additional risk.

Credit monitoring and identity-protection offering

The City of Columbus is offering two years of free Experian credit monitoring and dark-web monitoring, including $1 million in identity-theft insurance, to individuals identified in the Division of Fire PHI notification. Enrollment instructions and the activation code are included in the individual notification letter mailed beginning February 10, 2025. The city has stated it is not aware of any actual or attempted misuse of the PHI for identity theft or fraud.

Class action and litigation status

A separate, broader class action filed by city employees and residents over the July 2024 Rhysida cyberattack (which encompassed far more than the 736 Division of Fire PHI records) was dismissed on October 1, 2025 by Franklin County Common Pleas Judge Carl Aveni. The court ruled that the City of Columbus is shielded by Ohio political-subdivision immunity, observing that a private defendant likely would have survived the motion to dismiss on the same facts. The dismissal is on appeal. No separate class action narrowly tied to the 736-person Division of Fire PHI cohort has been publicly reported as of this writing.

What to do if you may be affected

  • Read your notification letter carefully. It will state whether your record was one of the very small subset that contained a Social Security number, which materially changes the risk profile.
  • Enroll in the Experian monitoring offered by the city. Two years of credit and dark-web monitoring plus $1M of identity-theft insurance is genuinely useful, and there is no reason to leave it on the table.
  • Freeze your credit with all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). It is free, takes about ten minutes per bureau, and is the single highest-leverage step against new-account identity theft, regardless of whether your SSN was specifically involved.
  • Be cautious of phishing referencing your EMS encounter. Because the leaked data includes date of service and brief clinical notes, threat actors can craft convincing messages purporting to be from the city, the Division of Fire, a hospital, or a collections agency. Verify any such contact by calling the entity directly using a number you look up yourself.
  • If your record included an SSN, file an IRS Identity Protection PIN (IP PIN) request to block fraudulent tax filings, and monitor your Social Security earnings record at ssa.gov.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.