Cumberland County Hospital Association Data Breach 2025: 36,659 Affected at Rural Kentucky Critical-Access Hospital After 41-Day Intrusion
Cumberland County Hospital Association in Burkesville, Kentucky confirmed that an unauthorized third party had access to its network from February 21 to April 3, 2025 and exposed Social Security numbers, full clinical detail, and employee tax and banking records for 36,659 patients and staff. The hospital filed the HIPAA breach report with HHS OCR and mailed individual notification letters on June 2, 2025, offering 12 months of complimentary credit monitoring.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 21, 2025
Unauthorized third party gains access to Cumberland County Hospital Association's computer systems
Apr 3, 2025
Hospital discovers the intrusion; immediately shuts down all computers and disables data sharing connections to contain the incident
Jun 2, 2025
HIPAA breach report filed with HHS OCR (36,659 affected, Hacking/IT Incident, location: Other); individual notification letters mailed to patients and employees the same day
Jun 2, 2025
Substitute notice posted; 12 months of complimentary credit monitoring and identity theft protection offered; dedicated hotline (866-461-3127) opened
Feb 21, 2025
Unauthorized third party gains access to Cumberland County Hospital Association's computer systems
Apr 3, 2025
Hospital discovers the intrusion; immediately shuts down all computers and disables data sharing connections to contain the incident
Jun 2, 2025
HIPAA breach report filed with HHS OCR (36,659 affected, Hacking/IT Incident, location: Other); individual notification letters mailed to patients and employees the same day
Jun 2, 2025
Substitute notice posted; 12 months of complimentary credit monitoring and identity theft protection offered; dedicated hotline (866-461-3127) opened
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Cumberland County Hospital Association — a small community hospital in Burkesville, Kentucky, serving a rural county on the Tennessee border with a population of roughly 6,500 — confirmed that an unauthorized third party had access to its computer systems for a 41-day window from February 21 to April 3, 2025 and exposed sensitive personal, clinical, financial, and employment information for 36,659 current and former patients and employees. The hospital filed the HIPAA breach report with the U.S. Department of Health and Human Services Office for Civil Rights and mailed individual notification letters to affected people on June 2, 2025, offering 12 months of complimentary credit monitoring and identity-theft protection.
The exposure is unusually severe relative to the size of the hospital. Cumberland County Hospital’s electronic medical record (EMR) system itself was not accessed in the intrusion, but the network files that were accessed nonetheless contained the full identity and clinical picture — names, Social Security numbers, diagnoses, medications, treatment notes, and insurance and billing detail — plus, for employees, driver’s license images, birth certificates, background-check files, W-4s, W-2s, and bank account numbers.
Timeline
- February 21, 2025 — Unauthorized third party gains access to Cumberland County Hospital Association’s computer systems. The intrusion goes undetected for the next six weeks.
- April 3, 2025 — Hospital discovers the unauthorized access. CCH immediately shuts down all computers and disables data sharing connections to prevent further access and contain the incident. Law enforcement is notified and third-party cybersecurity experts are engaged for forensic investigation.
- April–May 2025 — Forensic investigation and data review proceed in parallel with system restoration.
- June 2, 2025 — HIPAA breach report filed with HHS OCR. The portal entry lists 36,659 individuals affected, categorized as a Hacking/IT Incident with location Other (i.e., not Network Server, Email, EMR, or one of the other named categories — consistent with the hospital’s statement that the EMR was not involved and the affected data lived in network file shares). Individual notification letters are mailed to patients and employees the same day. A substitute notice is posted and a dedicated hotline opens at 866-461-3127.
What was exposed
Per the substitute notice and the individual notification letters mailed on June 2, 2025, the data elements potentially exposed vary by individual but include the following.
For patients:
- Full name, home address, phone number(s), email address, date of birth
- Race and ethnicity
- Social Security number
- Medications, diagnoses, treatment notes, dates of service, medical record number
- Health plan number, claims and billing information
For current and former employees, additionally:
- Driver’s license number
- Birth certificate
- Background check information
- W-4 and W-2 tax forms
- Bank account number
Cumberland County Hospital has stated that its electronic medical record system was not accessed in the incident — the EMR that CCH and its partners use to record and bill for patient care was outside the scope of the unauthorized access. The exposed data was in network files containing copies of the same categories of information.
Sensitive-population considerations (rural patients)
Cumberland County, Kentucky is a rural county on the Tennessee border with a population of roughly 6,500 people; CCH is the local critical-access-style community hospital. Two specific considerations matter for affected individuals in this population.
Notification logistics are harder in rural counties. The standard breach response model — read your letter, log into three credit-bureau websites, enroll in monitoring with an activation code by a deadline — assumes reliable broadband, a personal device, and a comfort level with online authentication that many rural and older patients do not have. If you received a letter from Cumberland County Hospital and you are not comfortable doing the credit-freeze and monitoring-enrollment steps online, the bureaus accept freezes by mail and by phone, and the hospital’s hotline at 866-461-3127 can walk you through the activation code on your monitoring enrollment.
An exposure of 36,659 people against a county population near 6,500 means the affected individuals reach well beyond county lines. Cumberland County Hospital serves patients from neighboring counties in south-central Kentucky and from across the Tennessee border. Many affected patients will be receiving the letter at an address that is hours from the hospital’s call center; the AP/Yahoo coverage specifically notes that Tennessee residents should also contact the Tennessee Identity Crimes Unit at [email protected] in addition to following the federal FTC guidance at ftc.gov.
What entity is offering
In the June 2, 2025 notification, Cumberland County Hospital Association offered:
- 12 months of complimentary credit monitoring and identity-theft protection to all affected patients and employees. Enrollment is via the activation code printed in each individual’s notification letter.
- A dedicated call center hotline at 866-461-3127 for questions about the incident and for help activating the credit-monitoring service.
- Guidance to use the Federal Trade Commission’s identity-theft resources at ftc.gov, including instructions on placing a credit freeze with the three nationwide consumer reporting agencies.
- For Tennessee residents specifically: referral to the Tennessee Identity Crimes Unit ([email protected]) at the Tennessee Department of Safety and Homeland Security.
The hospital has also stated it has implemented additional security measures to prevent future incidents, though the substitute notice does not enumerate the specific controls added.
Class-action posture
As of mid-May 2026, no class-action complaint has been filed against Cumberland County Hospital Association on the public dockets surfaced by the plaintiffs’ firms that publicly opened investigations. Two firms announced investigations shortly after the June 2, 2025 disclosure:
- Federman & Sherwood — opened an investigation announcement on its firm blog. The firm is in the investigative phase, soliciting potential class representatives; no complaint has been filed.
- Strauss Borrelli PLLC — opened an investigation announcement on June 5, 2025. The firm is similarly in the investigative phase; no complaint has been filed.
In addition, ClassAction.org’s plaintiffs’-firm panel opened a public investigation page and, according to that page, has since concluded its investigation without filing a lawsuit: “Attorneys working with ClassAction.org have finished their investigation into this matter.” The page is now flagged as reference-only.
A consolidated class action covering Cumberland County Hospital would be filed in the U.S. District Court for the Eastern District of Kentucky (the federal district covering Burkesville). As of this update, no such case is publicly docketed. This page will be updated if a complaint is filed and a case number issues.
What to do
If you received a notification letter from Cumberland County Hospital Association — whether as a patient or as a current or former employee — treat this as a high-severity exposure and stack defenses.
- Freeze your credit at all three bureaus — Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online (or can be done by phone or mail), and blocks new-account fraud. With Social Security numbers in the patient data set and bank account numbers in the employee data set, this is the single highest-leverage step.
- Enroll in the 12 months of complimentary credit monitoring using the activation code printed in your notification letter. Activation deadlines are typically printed on the letter; do not let it lapse.
- Call the hospital hotline at 866-461-3127 if you have not received a letter and believe you should have, or if you need help with the activation code.
- Watch your bank accounts and Explanation of Benefits statements from your health plan. Patients are at heightened risk of medical-identity theft (someone using your insurance to obtain care); employees are at heightened risk of account-takeover fraud given the exposure of bank account numbers and W-2 information.
- Request an IRS Identity Protection PIN (IP PIN). Free at irs.gov/ippin. Particularly important for affected employees whose W-2 information was exposed, because the exposure of an SSN plus a W-2 enables fraudulent tax filings.
- If you are a Tennessee resident, also contact the Tennessee Identity Crimes Unit at [email protected] per the hospital’s notice.
- Be skeptical of unsolicited phone, email, or text outreach claiming to be from Cumberland County Hospital, its credit-monitoring vendor, or “the FTC.” Threat actors routinely follow large breaches with targeted phishing using the leaked identifiers. CCH and its monitoring vendor will not ask for your full Social Security number or bank login by phone.
- Document everything. If a class action is later filed, evidence of any out-of-pocket losses, time spent on remediation, or downstream identity-theft incidents will matter to a claim.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (36,659 affected, Hacking/IT Incident, location: Other, reported June 2, 2025).
- HIPAA Journal — Cumberland County Hospital Data Breach Affects Almost 37,000 Individuals — detailed timeline including the February 21–April 3, 2025 intrusion window and the full patient and employee data-element list.
- HIPAA Journal — Cumberland County Hospital Cyberattack Affects 36,600 Patients — independent cross-reference of the 12-month credit-monitoring offer and the response actions (immediate computer shutdown, law-enforcement notification, third-party forensic engagement).
- Yahoo News / AP wire — Data breach at Cumberland County Hospital in Kentucky could impact patients, employees — confirms Burkesville location, hotline number 866-461-3127, and Tennessee Identity Crimes Unit referral.
- ClassAction.org — Cumberland County Hospital Data Breach Lawsuit Investigation — confirms that the panel’s investigation has concluded without filing a lawsuit.
- Federman & Sherwood — Cumberland County Hospital Association Data Breach Investigation — plaintiffs’-firm investigation announcement; no complaint filed.
- Strauss Borrelli PLLC — Cumberland County Hospital Data Breach Investigation — plaintiffs’-firm investigation announcement dated June 5, 2025; no complaint filed.
One-sentence confirmation: this page synthesizes seven sources, every fact stated above appears in at least two of them, and unsourced detail has been omitted.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Cumberland County Hospital Data Breach Affects Almost 37,000 Individuals
- HIPAA Journal — Cumberland County Hospital Cyberattack Affects 36,600 Patients
- Yahoo News / AP wire — Data breach at Cumberland County Hospital in Kentucky could impact patients, employees
- ClassAction.org — Cumberland County Hospital Data Breach Lawsuit Investigation
- Federman & Sherwood — Cumberland County Hospital Association Data Breach Investigation
- Strauss Borrelli PLLC — Cumberland County Hospital Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.