Community Health Center, Inc. (CT) Data Breach 2025: 1,060,936 Affected — FQHC Patients, Pediatric Records, COVID-Test Recipients, and 4,200 Employees Exposed. What To Do
Community Health Center, Inc., a Connecticut FQHC headquartered in Middletown, filed a HIPAA breach with HHS OCR on January 30, 2025 reporting 1,060,936 individuals. A criminal hacker exfiltrated patient data between mid-October 2024 and January 2, 2025. Names, DOB, SSN, diagnoses, test results, and insurance data were exposed.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 14, 2024
Initial unauthorized access to CHC network (per forensic reconstruction)
Jan 2, 2025
CHC detects unusual activity; access reportedly cut off within hours
Jan 30, 2025
Breach reported to HHS OCR (Hacking/IT Incident, Network Server)
Feb 13, 2025
Notification letters mailed to 1,060,936 affected individuals; 24 months identity theft and credit monitoring offered
Feb 14, 2025
First-filed putative class action, Murray v. Community Health Center, Inc., No. 3:25-cv-00226 (D. Conn.)
Apr 30, 2025
Enrollment deadline for free 24-month IDX identity protection services
Oct 14, 2024
Initial unauthorized access to CHC network (per forensic reconstruction)
Jan 2, 2025
CHC detects unusual activity; access reportedly cut off within hours
Jan 30, 2025
Breach reported to HHS OCR (Hacking/IT Incident, Network Server)
Feb 13, 2025
Notification letters mailed to 1,060,936 affected individuals; 24 months identity theft and credit monitoring offered
Feb 14, 2025
First-filed putative class action, Murray v. Community Health Center, Inc., No. 3:25-cv-00226 (D. Conn.)
Apr 30, 2025
Enrollment deadline for free 24-month IDX identity protection services
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Community Health Center, Inc. (CHC), a Middletown-based federally qualified health center that operates more than a dozen primary care, dental, and behavioral health clinics across Connecticut and serves roughly 17,000 students through school-based health programs, disclosed a hacking incident affecting 1,060,936 individuals — including pediatric patients and the next of kin of deceased patients. The breach was filed with HHS OCR on January 30, 2025 as a Hacking/IT Incident at a Network Server.
Timeline
- October 14, 2024. Forensic reconstruction places initial unauthorized access on or about this date. The intruder remained inside CHC’s environment for roughly eleven weeks.
- January 2, 2025. CHC identifies unusual activity in its computer systems. The organization states the attacker’s access was cut off within hours of detection. No files were encrypted and no data was deleted.
- January 30, 2025. CHC files a breach notification with the HHS Office for Civil Rights at 1,060,936 individuals, with approximately 1,008,519 Connecticut residents affected.
- February 13, 2025. Notification letters are mailed to affected individuals. CHC offers 24 months of complimentary identity theft and credit monitoring.
- February 14, 2025. The first-filed putative class action, Murray v. Community Health Center, Inc., No. 3:25-cv-00226, is docketed in the U.S. District Court for the District of Connecticut. Additional federal complaints follow through mid-February.
What was exposed
CHC’s notice and the federal complaints identify a broad set of data elements taken from patient records. CHC reported three distinct exposure tiers:
Full clinical-record exposure (~575,000 individuals):
- Name, date of birth, address, phone number, and email
- Social Security number
- Health insurance information
- Diagnoses, treatment information, medications, and progress notes
- Laboratory and other test results
- Guarantor information for pediatric patients
Limited-record exposure (~571,000 individuals): Individuals with a narrower data footprint at CHC had a subset of the above fields exposed.
Employees (~4,200): CHC confirmed approximately 4,200 employees are also in the affected class. The specific fields for employees are drawn from HR records; the notification letter is the authoritative source for your individual data set.
COVID-test and vaccine recipients (non-patients): CHC sent separate notification letters to people who received only a COVID-19 test or vaccine at a CHC clinic and were not otherwise patients. For this group, exposed information may include name, date of birth, phone number, email, address, gender, race, ethnicity, and insurance information — with possible vaccine details — but generally not the full clinical record. No SSN exposure has been confirmed for this subset by CHC’s own notice.
Notably, CHC confirmed that pediatric patients (and their parents or guardians) and deceased patients (whose next of kin received notification) are included in the affected population. That combination — minors’ identifiers plus full clinical detail plus SSN — is among the most sensitive categories of health-data exposure.
What CHC is offering
CHC is providing 24 months of complimentary identity theft and credit monitoring through IDX (call 1-877-229-9277 or follow the activation instructions in the notification letter). The IDX package includes 24 months of CyberScan dark-web monitoring and credit monitoring, a $1 million identity-theft insurance reimbursement policy, and live identity-recovery assistance. The enrollment deadline was April 30, 2025. If you did not enroll by that date, contact IDX directly to ask whether late enrollment is possible; some vendors extend deadlines for affected individuals who have documentation.
The organization states that, at the time of disclosure, it had no indication that any of the stolen data had been misused, and that no public ransomware leak-site posting has been confirmed.
Sensitive-population considerations
CHC is one of Connecticut’s largest federally qualified health centers and treats a patient population that is disproportionately Medicaid, uninsured, immigrant, and homeless, plus a large pediatric panel through school-based clinics. Several considerations follow:
- Minors with exposed SSNs. A child’s SSN is high-value on identity-theft markets because credit files are typically dormant for a decade or more. Parents and guardians of CHC pediatric patients should consider placing a protected consumer freeze at all three nationwide credit bureaus, which is free and available for minors in every state.
- Mixed-status households. CHC’s patient base includes individuals for whom exposure of address, phone, and immigration-adjacent identifiers carries safety risk distinct from financial fraud. The 24-month monitoring product does not address that risk; address suppression and phone-line hygiene do.
- Behavioral-health and substance-use treatment records. CHC operates behavioral health and substance-use services. To the extent records covered by 42 C.F.R. Part 2 were within the exfiltrated set, the disclosure implicates federal confidentiality protections beyond HIPAA.
Class-action and regulatory posture
More than half a dozen putative class actions were filed in the U.S. District Court for the District of Connecticut between February 5 and February 13, 2025, with the lead-filed Murray case docketed February 14, 2025 (No. 3:25-cv-00226). Named plaintiffs to date include Tracy Murray and Brian McCarthy. The McCarthy complaint specifically alleges that CHC’s public statement of a January 2, 2025 incident understated the actual intrusion timeline by approximately eleven weeks.
The complaints assert negligence, negligence per se, breach of implied contract, breach of fiduciary duty, and violations of HIPAA, the FTC Act, and Connecticut data-protection law. Plaintiffs seek compensatory, punitive, and nominal damages, restitution, injunctive relief mandating remedial security measures, and attorneys’ fees.
Multiple plaintiff firms are publicly investigating or have filed in the matter, including Mason LLP, Wolf Haldenstein Adler Freeman & Herz LLP, Woods Lonergan PLLC, Sauder Schelkopf LLC, Shub Johns & Holbrook LLP, Abington Cole + Ellery, Strauss Borrelli PLLC, and Levi & Korsinsky LLP.
Connecticut AG investigation: Connecticut Attorney General William Tong stated publicly that his office is investigating the breach. Connecticut residents make up roughly 95 percent of the affected class and constitute the principal state-level enforcement constituency. CHC also filed notification with the Maine Attorney General on January 30, 2025, as required by Maine’s disclosure law.
The HHS OCR investigation is open at the time of this writing.
What to do
If you, your child, or a family member received care at any CHC clinic — primary care, dental, behavioral health, or a school-based health program — or if you received a COVID-19 test or vaccine at a CHC site, assume you are in the affected class and act accordingly.
- Activate the IDX identity protection. Call IDX at 1-877-229-9277 or follow the instructions in your notification letter. The enrollment deadline was April 30, 2025; if you missed it, call IDX directly to ask whether late enrollment is available. Monitoring is a backstop, not a substitute for a credit freeze.
- Freeze your credit at Equifax, Experian, and TransUnion. For minor patients of CHC’s pediatric or school-based programs, place a protected consumer freeze for the child. Both are free and reversible.
- Watch for tax-refund and benefits fraud. SSN plus DOB plus address is the standard pre-filing identity-theft kit. File your federal return early and consider requesting an IRS Identity Protection PIN at IRS.gov/identity-theft-central.
- Be alert for clinical-record phishing. An attacker holding diagnoses, medications, and provider names can craft convincing pretexts — fake prior-authorization calls, fake pharmacy callbacks. Verify any unsolicited outreach through known CHC numbers, not callback numbers embedded in the message.
- If SUD or behavioral-health records are involved, note that 42 C.F.R. Part 2 (federal substance-use confidentiality law) provides civil-enforcement remedies that are separate from and in some respects stronger than HIPAA. Document any unauthorized re-disclosure.
- Preserve your notification letter. It is the simplest proof of class membership if you choose to participate in the pending litigation.
- Stop the ongoing flow of your primary-care and behavioral-health data. HealthConsent files HIPAA restriction requests so the diagnoses, medications, and treatment records exposed in this breach are not continuously re-shared across health information exchanges, insurance eligibility networks, and downstream data brokers. File a restriction request at HealthConsent.org.
Continue reading
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record.
- HIPAA Journal — Over 1 Million Patients Affected by Community Health Center Data Breach
- BankInfoSecurity — Connecticut Health Clinic Hack Affects Nearly 1.1 Million
- SecurityWeek — 1 Million Impacted by Data Breach at Connecticut Healthcare Provider
- Bloomberg Law — Connecticut Community Health Center Sued Over 2024 Data Breach
- Hartford Business Journal — Community Health Center Inc. faces lawsuits over data breach
- NBC Connecticut — Over 1 million Connecticut residents impacted by healthcare data breach
- Dark Reading — Community Health Center Notifies 1M of Stolen Data Breach
- WFSB (CBS Connecticut) — Community Health in Middletown experiences data breach
- Fox61 — Connecticut patient data affected by 2025 Community Health Center hack
- Strauss Borrelli PLLC — Community Health Center Data Breach Investigation
We confirm only what at least two independent established sources report; the intrusion timeline (mid-October 2024 to January 2, 2025) and 1,060,936-person scope are corroborated across HHS OCR, HIPAA Journal, BankInfoSecurity, SecurityWeek, and the federal complaints. IDX as credit-monitoring vendor, enrollment deadline (April 30, 2025), affected-count breakdown, and AG investigation are corroborated by multiple independent outlets including Fox61, WFSB, Strauss Borrelli, and Security Affairs.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Over 1 Million Patients Affected by Community Health Center Data Breach
- BankInfoSecurity — Connecticut Health Clinic Hack Affects Nearly 1.1 Million
- SecurityWeek — 1 Million Impacted by Data Breach at Connecticut Healthcare Provider
- Bloomberg Law — Connecticut Community Health Center Sued Over 2024 Data Breach
- Hartford Business Journal — Community Health Center Inc. faces lawsuits over data breach
- NBC Connecticut — Over 1 million Connecticut residents impacted by healthcare data breach
- Dark Reading — Community Health Center Notifies 1M of Stolen Data Breach
- WFSB (CBS Connecticut) — Community Health in Middletown experiences data breach
- Fox61 — Connecticut patient data affected by 2025 Community Health Center hack
- Strauss Borrelli PLLC — Community Health Center Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.