Community Care Alliance Data Breach 2025: 114,975 Affected by Rhysida Ransomware. $1.09M Class Settlement. What To Do
Community Care Alliance, a Rhode Island behavioral-health and social-services nonprofit, filed with HHS OCR on March 1, 2025 reporting 114,975 affected individuals in a Hacking/IT Incident at a network server. The Rhysida ransomware group claimed the attack and posted a 2.5 TB SQL dump on its leak site. A $1.09M class settlement (Flacco v. CCA, PC-2024-05237) received final approval October 14, 2025; payments began distribution January 23, 2026.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jul 1, 2024
Unauthorized access to Community Care Alliance's network began
Jul 6, 2024
Network disruption identified; CCA detected the intrusion and engaged outside forensic counsel
Sep 24, 2024
Flacco v. Community Care Alliance filed in RI Superior Court, Providence County (PC-2024-05237)
Jan 8, 2025
File review confirmed sensitive personal and health data had been exfiltrated
Mar 1, 2025
CCA filed Hacking/IT Incident report with HHS OCR (114,975 affected); individual notification letters began going out
Mar 7, 2025
CCA filed breach notifications with attorneys general in at least 13 states, including Maine, Vermont, Rhode Island, and California
Jun 3, 2025
RI Superior Court granted preliminary approval of $1.09M class settlement; Eisner Advisory Group, LLC appointed claims administrator
Oct 1, 2025
Claims deadline passed for documented-loss reimbursement and credit monitoring enrollment
Oct 14, 2025
Court entered Final Approval Order and Judgment on $1.09M class settlement
Jan 23, 2026
Settlement administrator (Eisner Advisory Group, LLC) began distributing payments to timely, valid claimants
Jul 1, 2024
Unauthorized access to Community Care Alliance's network began
Jul 6, 2024
Network disruption identified; CCA detected the intrusion and engaged outside forensic counsel
Sep 24, 2024
Flacco v. Community Care Alliance filed in RI Superior Court, Providence County (PC-2024-05237)
Jan 8, 2025
File review confirmed sensitive personal and health data had been exfiltrated
Mar 1, 2025
CCA filed Hacking/IT Incident report with HHS OCR (114,975 affected); individual notification letters began going out
Mar 7, 2025
CCA filed breach notifications with attorneys general in at least 13 states, including Maine, Vermont, Rhode Island, and California
Jun 3, 2025
RI Superior Court granted preliminary approval of $1.09M class settlement; Eisner Advisory Group, LLC appointed claims administrator
Oct 1, 2025
Claims deadline passed for documented-loss reimbursement and credit monitoring enrollment
Oct 14, 2025
Court entered Final Approval Order and Judgment on $1.09M class settlement
Jan 23, 2026
Settlement administrator (Eisner Advisory Group, LLC) began distributing payments to timely, valid claimants
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Community Care Alliance is a Woonsocket-based Rhode Island nonprofit that runs roughly fifty programs serving people in behavioral-health crisis, substance-use recovery, housing instability, and family services. CCA maintains offices in Woonsocket, Providence, and locations across Rhode Island. Its client population is, by design, one of the most sensitive cohorts a healthcare entity can hold records on, and the 114,975-record dataset that the Rhysida ransomware group exfiltrated in July 2024 reflects that.
Rhysida is a ransomware-as-a-service operation believed by researchers at Barracuda Networks to operate from Russia or the Commonwealth of Independent States, based on Russian-language internal communications and the group’s consistent avoidance of CIS-region targets. A joint FBI and CISA advisory (last updated April 30, 2025) categorizes Rhysida as an active RaaS threat targeting the education, healthcare, manufacturing, information technology, and government sectors since May 2023. Rhysida employs double extortion: it exfiltrates data first, then encrypts systems, and either auctions the stolen data on its dark-web leak site or releases it publicly if no buyer pays. CCA is among approximately 169 victims Rhysida had listed publicly as of early March 2025.
Timeline
- July 1, 2024 — Unauthorized access to CCA’s network begins.
- July 5, 2024 — Attackers exit the environment after exfiltrating data.
- July 6, 2024 — CCA experiences network disruption, detects the intrusion, and engages outside forensic counsel.
- September 24, 2024 — Flacco v. Community Care Alliance is filed in the Superior Court for the State of Rhode Island, Providence County, No. PC-2024-05237.
- January 8, 2025 — File review confirms sensitive personal and clinical data was exfiltrated.
- March 1, 2025 — CCA files with HHS OCR reporting 114,975 affected individuals.
- March 7, 2025 — CCA files breach notifications with attorneys general in at least 13 states (Maine, Vermont, Rhode Island, California, Iowa, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, South Carolina, Texas, and Washington); individual notification letters go out the same day. CCA’s dedicated assistance line — 1-833-998-5800 — is activated.
- June 3, 2025 — RI Superior Court grants preliminary approval of the $1.09M settlement; Eisner Advisory Group, LLC is appointed claims administrator, and David Lietz is confirmed as class counsel.
- October 1, 2025 — Claims deadline passes for documented-loss reimbursement and credit monitoring enrollment.
- October 14, 2025 — The court enters the Final Approval Order and Judgment on the $1.09 million class settlement.
- January 23, 2026 — Eisner Advisory Group, LLC begins distributing payments to timely, valid claimants.
What was exposed
CCA’s official notice — published on communitycareri.org and filed with the Maine, Vermont, and Rhode Island attorneys general on March 7, 2025 — confirms the following categories varied by individual:
- Full name and address
- Date of birth
- Driver’s license number
- Social Security number
- Diagnosis and condition information
- Lab test results
- Medications
- Health insurance information
- Patient IDs and provider names
Rhysida posted a 2.5 terabyte SQL database to its dark-web leak site, which is consistent with full-table exfiltration from a clinical or case-management system rather than a narrow file share. Rhysida employs double-extortion tactics: it steals data and encrypts systems simultaneously, then either sells stolen datasets via online auction or releases them publicly if no buyer pays. Independent reporting from BankInfoSecurity, HIPAA Journal, teiss, and BlackFog corroborates the volume and the attribution.
The harm shape here is full-profile identity fraud (SSN plus driver’s license plus date of birth) layered on top of medical and behavioral-health record exposure. For a meaningful share of the population, those clinical records describe psychiatric diagnoses, substance-use treatment, and crisis services.
Sensitive-population considerations
CCA’s service mix means the exposed dataset almost certainly includes records subject to 42 CFR Part 2, the federal confidentiality rule governing substance-use disorder treatment records held by federally assisted programs. Part 2 protections are stricter than HIPAA: redisclosure without specific written consent is generally prohibited, and Part 2 records have historically carried heightened stigma and legal exposure (employment, family court, professional licensing).
For affected individuals, the practical implication is that the same demographic and clinical fields that drive routine identity theft also carry independent privacy harm. A leaked record showing that a person received methadone maintenance, intensive outpatient psychiatric care, or housing-first crisis support is not interchangeable with a leaked dermatology record. The class-action complaint and several plaintiff-firm investigations explicitly flag the behavioral-health character of the data as an aggravating factor.
This page does not attempt to confirm whether CCA’s specific programs are federally assisted within the meaning of Part 2, which is a fact-specific determination. We note the rule because the class of affected individuals should be aware that Part 2 may give them additional rights and remedies their notification letter does not spell out.
Class-action posture
Flacco v. Community Care Alliance, No. PC-2024-05237, was filed September 24, 2024, in the Superior Court for the State of Rhode Island, Providence County. The complaint alleged CCA was negligent in failing to implement reasonable cybersecurity measures and that the Rhysida attack could have been prevented with adequate controls. David Lietz served as class counsel for plaintiff William Flacco.
The court granted preliminary approval on June 3, 2025, appointing Eisner Advisory Group, LLC as claims administrator. CCA did not admit wrongdoing and agreed to a $1,090,000 non-reversionary settlement fund. The court entered the Final Approval Order and Judgment on October 14, 2025, and Eisner Advisory Group began distributing payments on January 23, 2026.
Class members had three compensation tracks:
- Documented out-of-pocket losses capped at $5,000 per class member for fraud, identity theft, and other costs reasonably traceable to the breach after July 29, 2024.
- Two years of three-bureau credit monitoring with dark-web monitoring, up to $1,000,000 in identity theft insurance, and fully managed identity recovery services.
- Pro-rata cash payment estimated at approximately $100 per person, subject to adjustment based on total valid claims filed.
Class members could claim one or more tracks simultaneously. The claims submission deadline was October 1, 2025. Plaintiff firms that publicly investigated or filed on the case include Kehoe Law Firm, Strauss Borrelli PLLC, Federman & Sherwood, Markovits Stock & DeMarco, Edelson Lechtzin LLP, and Woods Lonergan PLLC. Deductions from the settlement fund included $363,333.33 in attorneys’ fees, settlement administration costs, and a $2,500 service award to the named plaintiff. As part of the settlement, CCA also agreed to implement new cybersecurity measures and business practices.
On the regulatory side, the breach remains listed on the HHS Office for Civil Rights portal. No public OCR enforcement resolution against CCA has been announced as of this page’s last update.
What to do
This week:
- Place a free credit freeze with Equifax, Experian, and TransUnion. This is the single highest-leverage protection against new-account fraud opened with your SSN and driver’s license number, and it is independent of any monitoring CCA or the settlement administrator may have already enrolled you in.
- Contact CCA’s dedicated assistance line at 1-833-998-5800 if you have questions about your notification letter, what specific data of yours was in scope, or the credit monitoring CCA offered in its individual breach notices.
- If you elected the credit monitoring track in the class settlement, contact the settlement administrator at [email protected] to confirm enrollment status. The settlement’s credit monitoring includes two years of three-bureau coverage, dark-web monitoring, up to $1,000,000 in identity theft insurance, and fully managed identity recovery services.
- File IRS Form 14039 (Identity Theft Affidavit) to block a fraudulent tax return being filed under your SSN.
This month:
- Review Explanation of Benefits statements from your insurer for services you did not receive. Medical identity theft typically surfaces in EOBs weeks or months after the underlying fraud.
- Know your 42 CFR Part 2 rights. If your CCA services included substance-use disorder treatment, the redisclosure rules and remedies under Part 2 are stricter than the HIPAA defaults your notification letter may describe. Consult counsel before signing any release that authorizes further disclosure of those records.
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks, so the behavioral-health and insurance information exposed in this breach is not continuously re-shared and resold by other entities downstream.
- Watch for follow-on letters. Downstream insurers, billing vendors, or affiliated programs may issue their own notifications referencing this same incident.
This page is a summary maintained by HealthConsent and was last cross-referenced against the settlement administrator’s website (ccadatasettlement.com), CCA’s official notice PDF (communitycareri.org), the Vermont AG filing, BankInfoSecurity’s reporting, the CISA Rhysida advisory, and the HHS OCR breach portal on the date listed in lastUpdated.
Sources
- Community Care Alliance — Official Notice of Data Incident (PDF)
- Vermont AG — 2025-03-07 CCA Data Breach Notice to Consumers
- HIPAA Journal: Rhode Island Human Services Agency Announces 114K-Record Data Breach
- HIPAA Journal: Community Care Alliance Agrees to Pay $1.09 Million to Settle Class Action Ransomware Lawsuit
- BankInfoSecurity: Rhysida Hacking Group Strikes More Healthcare Providers
- Flacco v. Community Care Alliance — Official Settlement Website (PC-2024-05237)
- ClassAction.org: $1.09M Community Care Alliance Settlement
- Top Class Actions: $1.09M Community Care Alliance data breach class action settlement
- ClaimDepot: Community Care Alliance Data Breach (state AG filing list)
- teiss: Ransomware attack on Community Care Alliance compromised 2.5 TB of sensitive patient data
- BlackFog: Rhysida Ransomware — Recent U.S. Breaches and Mitigation
- Barracuda Networks: Rhysida Ransomware — The Creepy Crawling Criminal (RaaS profile, Russian/CIS attribution)
- CISA #StopRansomware Advisory AA23-319A — Rhysida (updated April 30, 2025)
- Kehoe Law Firm: Community Care Alliance Data Breach Affects 114,975 Individuals
- Daily Security Review: Rhode Island’s Community Care Alliance Data Breach
- HHS OCR Breach Portal
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: Rhode Island Human Services Agency Announces 114K-Record Data Breach
- HIPAA Journal: Community Care Alliance Agrees to Pay $1.09 Million to Settle Class Action Ransomware Lawsuit
- Flacco v. Community Care Alliance — Official Settlement Website (PC-2024-05237, RI Superior Court)
- ClassAction.org: $1.09M Community Care Alliance Settlement Ends Class Action Lawsuit Over 2024 Data Breach
- Top Class Actions: $1.09M Community Care Alliance data breach class action settlement
- teiss: Ransomware attack on Community Care Alliance compromised 2.5 TB of sensitive patient data
- BlackFog: Rhysida Ransomware — Recent U.S. Breaches and Mitigation
- Kehoe Law Firm: Community Care Alliance Data Breach Affects 114,975 Individuals
- Daily Security Review: Rhode Island's Community Care Alliance Data Breach
- HHS OCR Breach Portal
- Community Care Alliance — Official Notice of Data Incident (PDF, hosted on communitycareri.org)
- Vermont AG — 2025-03-07 Community Care Alliance Data Breach Notice to Consumers
- BankInfoSecurity: Rhysida Hacking Group Strikes More Healthcare Providers (CCA and Sunflower Medical Group)
- Barracuda Networks: Rhysida Ransomware — RaaS Group Profile (Russian/CIS attribution)
- CISA #StopRansomware Advisory AA23-319A — Rhysida (updated April 2025)
- JDSupra / Console & Associates: Community Care Alliance Provides Notice of Data Breach to 114,945 (Maine AG filing detail)
- ClaimDepot: Community Care Alliance Data Breach (state AG filing list and settlement benefit details)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.