Compass Counseling Services, LLC Data Breach 2025: 5,440 Affected · Hacking/IT Incident · FL. Filed With HHS OCR. What To Do.
Compass Counseling Services, LLC (FL) filed a HIPAA breach notification with the HHS Office for Civil Rights on July 29, 2025, reporting 5,440 affected individuals in a Hacking/IT Incident event at Network Server. The HHS OCR portal entry is the primary public record; further details are not yet publicly disclosed o...
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 19, 2024
Unauthorized actor begins accessing files on the Compass network
Nov 20, 2024
Compass identifies unauthorized network activity and begins containment
Nov 21, 2024
Unauthorized access ends per Compass's forensic timeline
Feb 2, 2025
Forensic investigation completes; Compass confirms which files were accessed
Jun 16, 2025
Compass publishes Notice of Data Security Breach on its website and begins mailing letters
Jul 29, 2025
Breach reported to HHS Office for Civil Rights
Aug 7, 2025
Strauss Borrelli PLLC announces class-action investigation
Aug 8, 2025
Federman & Sherwood announces class-action investigation
Nov 19, 2024
Unauthorized actor begins accessing files on the Compass network
Nov 20, 2024
Compass identifies unauthorized network activity and begins containment
Nov 21, 2024
Unauthorized access ends per Compass's forensic timeline
Feb 2, 2025
Forensic investigation completes; Compass confirms which files were accessed
Jun 16, 2025
Compass publishes Notice of Data Security Breach on its website and begins mailing letters
Jul 29, 2025
Breach reported to HHS Office for Civil Rights
Aug 7, 2025
Strauss Borrelli PLLC announces class-action investigation
Aug 8, 2025
Federman & Sherwood announces class-action investigation
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Compass Counseling Services, LLC, a Florida-based outpatient mental health clinic that has provided counseling, group therapy, medication management, and psychological testing since 2011, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on July 29, 2025, reporting 5,440 affected individuals in a Hacking/IT Incident event at Network Server. According to the entity’s own Notice of Data Security Breach, an unauthorized actor accessed files on the Compass network between approximately November 19 and November 21, 2024, and Compass identified the unauthorized activity on November 20, 2024.
Timeline of the incident
The intrusion window is narrow but the discovery-to-notification gap is long. Compass detected the unauthorized activity the day after access began, contained the incident, and retained outside cybersecurity professionals to scope what was taken. The forensic review concluded on February 2, 2025, at which point Compass had a list of files that had been accessed. Compass then conducted document review to identify whose information appeared in those files, published its Notice of Data Security Breach on June 16, 2025, mailed letters to individuals with valid addresses on file, and filed with HHS OCR on July 29, 2025. Plaintiffs’ firms began publicly soliciting affected individuals in early August 2025.
What was exposed
Compass’s notice and the law-firm investigations published to date describe the exposed records as including names, dates of birth, Social Security numbers, driver’s license or state ID numbers, health insurance policy numbers, Medicare or Medicaid numbers, medical diagnoses and treatment information, provider names and locations, financial account numbers, routing numbers, digital signatures, and account credentials. Compass states it has no evidence of resulting financial fraud or identity theft as of the notification date — that statement reflects what the entity could observe at the time of notification and is not a guarantee.
Why a mental-health-clinic breach hits harder
When a mental-health provider’s record system is the breached asset, the exposed data is not just identifiers. It is diagnoses, treatment notes, medication histories, and the names of the providers and locations involved in a person’s care. That information is not interchangeable with a generic identity-theft dataset:
- Discrimination risk. Mental-health diagnoses can be used against people in employment, custody disputes, insurance underwriting, and immigration adjudications. Once that information is loose, it is permanently loose.
- Stigma and re-disclosure. Patients who chose Compass specifically because counseling is private now have to consider that their attendance, diagnoses, or medications may be known to a third party.
- Targeted extortion. Hackers with access to therapy records have, in other incidents, contacted patients directly with threats to publish session content unless paid. The Vastaamo case in Finland remains the canonical example. Patients of any breached behavioral-health provider should treat unsolicited messages referencing their care with suspicion.
- Account-credential exposure. Compass’s notice lists “account credentials” among the affected fields. If you reused a Compass-related password anywhere else, change those passwords now and enable multi-factor authentication.
What Compass is offering
Compass established a dedicated incident response line at 833-566-6959, available 8 a.m. to 8 p.m. Eastern, Monday through Friday. Individuals who do not receive a letter but believe they may be affected can call that number to inquire. Public sources do not yet confirm the specific terms of complimentary credit monitoring or identity-protection services; the individual notification letter is the controlling document on that question — read yours carefully before any deadline it states.
Class-action posture
Two plaintiffs’ firms have publicly announced investigations:
- Strauss Borrelli PLLC announced its investigation on August 7, 2025.
- Federman & Sherwood announced its investigation on August 8, 2025.
As of this writing, no consolidated class-action complaint against Compass Counseling Services, LLC has been confirmed in public dockets. Investigation announcements are solicitations, not filed lawsuits. We will update this page when a complaint is filed.
What to do if you may be affected
- Freeze your credit with all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). It is free, takes about ten minutes per bureau, and is the highest-leverage single step against identity theft and new-account fraud.
- Watch for a notification letter from Compass Counseling Services, LLC. The letter will list the specific data elements involved for your record and the terms of any complimentary monitoring service.
- Change passwords and enable MFA on any account that reused a Compass-related password. The notice cites “account credentials” among the exposed data.
- Be skeptical of unsolicited messages that reference your care at Compass, a diagnosis, or a provider name. Threats demanding payment to suppress therapy content are a known pattern after mental-health-record breaches. Do not pay; report to the FBI’s IC3 at ic3.gov.
- If you receive Medicare or Medicaid benefits, monitor your Medicare Summary Notice or state Medicaid statements for services you did not receive. Report medical identity theft to 1-800-MEDICARE or your state Medicaid fraud control unit.
- Call 833-566-6959 if you have not received a letter but believe you may be affected.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record of this breach.
- Compass Counseling Services — Notice of Data Security Breach — entity’s own substitute notice with the forensic timeline and affected-data list.
- Compass Counseling Services — Breach Notice (alternate URL) — mirror of the substitute notice.
- Strauss Borrelli PLLC — Compass Counseling Data Breach Investigation — plaintiffs’-firm summary of exposed data elements and affected count.
- Federman & Sherwood — Compass Counseling Services, LLC Data Breach — second plaintiffs’-firm investigation announcement.
- Claim Depot — Compass Counseling Services 2025 Data Breach — aggregator summary including the dedicated support line.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Compass Counseling Services — Notice of Data Security Breach
- Compass Counseling Services — Breach Notice (alternate URL)
- Strauss Borrelli PLLC — Compass Counseling Data Breach Investigation
- Federman & Sherwood — Compass Counseling Services, LLC Data Breach
- Claim Depot — Compass Counseling Services 2025 Data Breach
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.