Active breach tracker Kansas City, MO Disclosed February 14, 2025

Cornerstones of Care Data Breach 2025: 2,771 Youth and Family Records Exposed in Year-Long Email Account Compromise (Kansas City, MO)

Cornerstones of Care, a Kansas City-based youth and family behavioral health nonprofit serving children in Missouri and Kansas, filed a HIPAA breach report with HHS OCR on February 14, 2025 listing 2,771 affected individuals after employee email accounts were accessed by an unauthorized party. The entity's forensic review concluded on September 10, 2025 and notification letters were mailed beginning September 30, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Aug 22, 2024

Cornerstones of Care detects that an unauthorized party may have obtained access to a limited number of employee email accounts

Sep 10, 2024

Forensic investigation later determines unauthorized access to the impacted email accounts occurred on or about September 10-11, 2024

Feb 14, 2025

HIPAA breach report filed with HHS OCR listing 2,771 affected individuals in an Unauthorized Access/Disclosure event at Email

Sep 10, 2025

Forensic investigation and document review concludes; files containing PHI/PII in the impacted email accounts are identified as potentially subject to unauthorized access

Sep 30, 2025

Individual notification letters mailed; substitute notice posted on cornerstonesofcare.org and dedicated response line (877) 415-4305 activated

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical diagnosis and treatment information Medical Record Number

03

Contact & insurance

Phishing + targeted scams

Full name Home address Health insurance information Provider information Patient Account Number
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Cornerstones of Care, a 150-year-old nonprofit headquartered in Kansas City, Missouri that provides foster care, adoption, residential treatment, in-home crisis intervention, and outpatient behavioral and mental health services to children and families across Missouri and Kansas, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on February 14, 2025, reporting 2,771 affected individuals in an unauthorized-access event at Email. The entity’s own notice, posted in late September 2025, traces the incident back to an unauthorized party that gained access to a limited number of employee email accounts in the fall of 2024 and confirms that forensic review of the impacted mailboxes was not completed until September 10, 2025. Notification letters began going out on September 30, 2025.

Timeline of what we know

  • August 22, 2024. Cornerstones of Care learns that an unauthorized party may have obtained access to a limited number of employee email accounts. The organization reports the incident to law enforcement and engages third-party forensic professionals.
  • September 10-11, 2024. Forensic investigators later determine that unauthorized access to the impacted email accounts occurred on or about these dates.
  • February 14, 2025. Cornerstones of Care submits its HIPAA breach report to HHS OCR. The portal entry records 2,771 affected individuals, location of breached PHI listed as Email, with the type of breach categorized as an unauthorized access/disclosure incident.
  • September 10, 2025. After a year-long forensic investigation and document review, Cornerstones of Care concludes that files containing protected health information and personally identifiable information stored in the impacted email accounts may have been subject to unauthorized access.
  • September 30, 2025. Individual notification letters are mailed and a substitute notice is posted on the entity’s newsroom page. A dedicated toll-free response line - (877) 415-4305 - is activated, staffed 9:00 a.m. to 9:00 p.m. ET, Monday through Friday.

What was exposed

According to the substitute notice posted by Cornerstones of Care, the files in the impacted email accounts may have contained the following data elements, depending on the individual:

  • Full name
  • Home address
  • Date of birth
  • Social Security number
  • Medical diagnosis and treatment information
  • Health insurance information
  • Provider information
  • Medical Record Number
  • Patient Account Number

Not every data element was present for every affected individual.

Why this exposure is especially sensitive: youth and behavioral health populations

Cornerstones of Care’s patient and client population is unusually concentrated on populations that draw heightened legal and ethical protection. Its programs include:

  • Foster care and adoption services for children removed from their birth families, where the existence of a child welfare file is itself sensitive information.
  • Residential treatment for youth ages 6-18 who have experienced trauma, abuse, or neglect, including the Kansas City area’s first Qualified Residential Treatment Program (QRTP).
  • Outpatient mental health therapy and Functional Family Therapy (FFT) for at-risk children, families, and individuals.
  • Intensive In-Home Services and Family Preservation Services - short-term crisis intervention programs for families at imminent risk of having children removed from the home, often involving allegations of substance use, abuse, or neglect.

When PHI for these populations is exposed, the downstream harms are not limited to financial fraud. They include stigma in school and community settings, complications in pending custody and dependency proceedings, retaliation in domestic situations, and chilling effects on a family’s willingness to engage with future behavioral health or child welfare services. To the extent any of the impacted records reference substance use disorder treatment received through a federally assisted program, those records are also subject to the stricter confidentiality protections of 42 CFR Part 2, which generally prohibits use or disclosure of patient identifying information in custody, employment, or criminal proceedings without specific written consent or a Part 2 court order.

What Cornerstones of Care is offering

Individuals whose Social Security numbers were contained in the impacted files have been offered complimentary credit monitoring at no cost. Cornerstones of Care has provided notified individuals with best-practice guidance for protecting their information, including reviewing explanation of benefits statements from health insurers and following up on any items they do not recognize.

For questions about the incident, Cornerstones of Care has established a dedicated toll-free response line at (877) 415-4305, available 9:00 a.m. to 9:00 p.m. ET, Monday through Friday, excluding holidays.

Class-action and regulatory posture

As of this writing, no class-action lawsuit appears to have been filed against Cornerstones of Care arising from this incident, and no plaintiffs’ firm has publicly announced an investigation. The breach record remains listed on the HHS Office for Civil Rights breach portal under the standard Breach Notification Rule review; no public OCR enforcement action has been announced. State attorney general filings, where required by Missouri, Kansas, and other states with affected residents, have not been publicly catalogued in a single location.

This breach is small in headcount relative to the largest healthcare breaches of 2025, but the combination of (a) youth and behavioral health populations, (b) a full Social Security number and medical-history exposure, and (c) a year-plus delay between detection and individual notification creates a meaningful liability exposure that is not yet reflected in the public docket.

What to do if you may be affected

If you, your child, or a family member received foster care, residential treatment, in-home crisis services, outpatient mental health therapy, or adoption services through Cornerstones of Care between roughly 2018 and 2024, you should assume you may be in scope and take the following steps.

  1. Freeze your credit at all three bureaus. Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new-account fraud. This is the single highest-leverage step when SSNs are in play.
  2. If your child was a client, place a free child credit freeze. Each bureau offers a separate process for freezing a minor’s file. Children’s SSNs are uniquely attractive to identity thieves because they are rarely monitored and provide a clean slate for years.
  3. Enroll in the complimentary credit monitoring if you receive an enrollment code in your notification letter. Letters were mailed starting September 30, 2025.
  4. Request an Identity Protection PIN (IP PIN) from the IRS at irs.gov/ippin. It is free and prevents fraudulent federal returns under your SSN.
  5. Review explanation of benefits statements from your health insurer, Medicaid, or CHIP plan. Report any services, providers, or dates of service you do not recognize to your insurer and to HHS OCR.
  6. Be skeptical of unsolicited outreach. Threat actors often pair leaked names with targeted phishing referencing real provider relationships. Cornerstones of Care will not request your full SSN or banking details by phone to “verify” your file.
  7. Call the dedicated response line at (877) 415-4305 if you have questions or believe you should have received a notification but have not.
  8. Know your 42 CFR Part 2 rights. If any of your or your family’s substance use disorder treatment information surfaces in a custody, employment, criminal, or immigration matter, document it and consult a Missouri or Kansas healthcare-privacy attorney about Part 2 enforcement options.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.