Cornerstones of Care Data Breach 2025: 2,771 Youth and Family Records Exposed in Year-Long Email Account Compromise (Kansas City, MO)
Cornerstones of Care, a Kansas City-based youth and family behavioral health nonprofit serving children in Missouri and Kansas, filed a HIPAA breach report with HHS OCR on February 14, 2025 listing 2,771 affected individuals after employee email accounts were accessed by an unauthorized party. The entity's forensic review concluded on September 10, 2025 and notification letters were mailed beginning September 30, 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Aug 22, 2024
Cornerstones of Care detects that an unauthorized party may have obtained access to a limited number of employee email accounts
Sep 10, 2024
Forensic investigation later determines unauthorized access to the impacted email accounts occurred on or about September 10-11, 2024
Feb 14, 2025
HIPAA breach report filed with HHS OCR listing 2,771 affected individuals in an Unauthorized Access/Disclosure event at Email
Sep 10, 2025
Forensic investigation and document review concludes; files containing PHI/PII in the impacted email accounts are identified as potentially subject to unauthorized access
Sep 30, 2025
Individual notification letters mailed; substitute notice posted on cornerstonesofcare.org and dedicated response line (877) 415-4305 activated
Aug 22, 2024
Cornerstones of Care detects that an unauthorized party may have obtained access to a limited number of employee email accounts
Sep 10, 2024
Forensic investigation later determines unauthorized access to the impacted email accounts occurred on or about September 10-11, 2024
Feb 14, 2025
HIPAA breach report filed with HHS OCR listing 2,771 affected individuals in an Unauthorized Access/Disclosure event at Email
Sep 10, 2025
Forensic investigation and document review concludes; files containing PHI/PII in the impacted email accounts are identified as potentially subject to unauthorized access
Sep 30, 2025
Individual notification letters mailed; substitute notice posted on cornerstonesofcare.org and dedicated response line (877) 415-4305 activated
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Cornerstones of Care, a 150-year-old nonprofit headquartered in Kansas City, Missouri that provides foster care, adoption, residential treatment, in-home crisis intervention, and outpatient behavioral and mental health services to children and families across Missouri and Kansas, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on February 14, 2025, reporting 2,771 affected individuals in an unauthorized-access event at Email. The entity’s own notice, posted in late September 2025, traces the incident back to an unauthorized party that gained access to a limited number of employee email accounts in the fall of 2024 and confirms that forensic review of the impacted mailboxes was not completed until September 10, 2025. Notification letters began going out on September 30, 2025.
Timeline of what we know
- August 22, 2024. Cornerstones of Care learns that an unauthorized party may have obtained access to a limited number of employee email accounts. The organization reports the incident to law enforcement and engages third-party forensic professionals.
- September 10-11, 2024. Forensic investigators later determine that unauthorized access to the impacted email accounts occurred on or about these dates.
- February 14, 2025. Cornerstones of Care submits its HIPAA breach report to HHS OCR. The portal entry records 2,771 affected individuals, location of breached PHI listed as Email, with the type of breach categorized as an unauthorized access/disclosure incident.
- September 10, 2025. After a year-long forensic investigation and document review, Cornerstones of Care concludes that files containing protected health information and personally identifiable information stored in the impacted email accounts may have been subject to unauthorized access.
- September 30, 2025. Individual notification letters are mailed and a substitute notice is posted on the entity’s newsroom page. A dedicated toll-free response line - (877) 415-4305 - is activated, staffed 9:00 a.m. to 9:00 p.m. ET, Monday through Friday.
What was exposed
According to the substitute notice posted by Cornerstones of Care, the files in the impacted email accounts may have contained the following data elements, depending on the individual:
- Full name
- Home address
- Date of birth
- Social Security number
- Medical diagnosis and treatment information
- Health insurance information
- Provider information
- Medical Record Number
- Patient Account Number
Not every data element was present for every affected individual.
Why this exposure is especially sensitive: youth and behavioral health populations
Cornerstones of Care’s patient and client population is unusually concentrated on populations that draw heightened legal and ethical protection. Its programs include:
- Foster care and adoption services for children removed from their birth families, where the existence of a child welfare file is itself sensitive information.
- Residential treatment for youth ages 6-18 who have experienced trauma, abuse, or neglect, including the Kansas City area’s first Qualified Residential Treatment Program (QRTP).
- Outpatient mental health therapy and Functional Family Therapy (FFT) for at-risk children, families, and individuals.
- Intensive In-Home Services and Family Preservation Services - short-term crisis intervention programs for families at imminent risk of having children removed from the home, often involving allegations of substance use, abuse, or neglect.
When PHI for these populations is exposed, the downstream harms are not limited to financial fraud. They include stigma in school and community settings, complications in pending custody and dependency proceedings, retaliation in domestic situations, and chilling effects on a family’s willingness to engage with future behavioral health or child welfare services. To the extent any of the impacted records reference substance use disorder treatment received through a federally assisted program, those records are also subject to the stricter confidentiality protections of 42 CFR Part 2, which generally prohibits use or disclosure of patient identifying information in custody, employment, or criminal proceedings without specific written consent or a Part 2 court order.
What Cornerstones of Care is offering
Individuals whose Social Security numbers were contained in the impacted files have been offered complimentary credit monitoring at no cost. Cornerstones of Care has provided notified individuals with best-practice guidance for protecting their information, including reviewing explanation of benefits statements from health insurers and following up on any items they do not recognize.
For questions about the incident, Cornerstones of Care has established a dedicated toll-free response line at (877) 415-4305, available 9:00 a.m. to 9:00 p.m. ET, Monday through Friday, excluding holidays.
Class-action and regulatory posture
As of this writing, no class-action lawsuit appears to have been filed against Cornerstones of Care arising from this incident, and no plaintiffs’ firm has publicly announced an investigation. The breach record remains listed on the HHS Office for Civil Rights breach portal under the standard Breach Notification Rule review; no public OCR enforcement action has been announced. State attorney general filings, where required by Missouri, Kansas, and other states with affected residents, have not been publicly catalogued in a single location.
This breach is small in headcount relative to the largest healthcare breaches of 2025, but the combination of (a) youth and behavioral health populations, (b) a full Social Security number and medical-history exposure, and (c) a year-plus delay between detection and individual notification creates a meaningful liability exposure that is not yet reflected in the public docket.
What to do if you may be affected
If you, your child, or a family member received foster care, residential treatment, in-home crisis services, outpatient mental health therapy, or adoption services through Cornerstones of Care between roughly 2018 and 2024, you should assume you may be in scope and take the following steps.
- Freeze your credit at all three bureaus. Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new-account fraud. This is the single highest-leverage step when SSNs are in play.
- If your child was a client, place a free child credit freeze. Each bureau offers a separate process for freezing a minor’s file. Children’s SSNs are uniquely attractive to identity thieves because they are rarely monitored and provide a clean slate for years.
- Enroll in the complimentary credit monitoring if you receive an enrollment code in your notification letter. Letters were mailed starting September 30, 2025.
- Request an Identity Protection PIN (IP PIN) from the IRS at irs.gov/ippin. It is free and prevents fraudulent federal returns under your SSN.
- Review explanation of benefits statements from your health insurer, Medicaid, or CHIP plan. Report any services, providers, or dates of service you do not recognize to your insurer and to HHS OCR.
- Be skeptical of unsolicited outreach. Threat actors often pair leaked names with targeted phishing referencing real provider relationships. Cornerstones of Care will not request your full SSN or banking details by phone to “verify” your file.
- Call the dedicated response line at (877) 415-4305 if you have questions or believe you should have received a notification but have not.
- Know your 42 CFR Part 2 rights. If any of your or your family’s substance use disorder treatment information surfaces in a custody, employment, criminal, or immigration matter, document it and consult a Missouri or Kansas healthcare-privacy attorney about Part 2 enforcement options.
Sources
- HHS Office for Civil Rights Breach Portal: the federal regulatory record of this breach, listing 2,771 affected individuals at Email (filed February 14, 2025).
- Cornerstones of Care: Notice of Data Security Incident: the entity’s substitute notice, including the detection date, forensic conclusion date, notification commencement, and the full list of data elements implicated.
- Cornerstones of Care: Youth and Family Support Services: description of the foster care, residential treatment, FFT, and in-home crisis intervention programs that drive the patient and client population in scope of this breach.
- Mental Health Providers Directory: Cornerstones of Care (Missouri): independent confirmation of the entity’s mental and behavioral health service lines and Missouri footprint.
- United Way of Greater Kansas City: Cornerstones of Care - Mental and Behavioral Health and Education Services: community confirmation of the entity’s behavioral health and education service profile in the Kansas City metro area.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Cornerstones of Care: Notice of Data Security Incident
- Cornerstones of Care: Youth and Family Support Services
- Mental Health Providers Directory: Cornerstones of Care (Missouri)
- United Way of Greater Kansas City: Cornerstones of Care - Mental and Behavioral Health and Education Services
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.