Escambia Community Clinics (Community Health Northwest Florida) Data Breach: 143,969 Affected · RansomHub Attack · Pensacola FQHC
Community Health Northwest Florida, the Pensacola-area federally qualified health center operated by Escambia Community Clinics, Inc., reported a hacking incident to HHS OCR on February 3, 2025 affecting 143,969 individuals. RansomHub claimed responsibility. Names, Social Security numbers, driver's license numbers, financial account data, and full medical records were exposed.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 24, 2024
CHNF detects suspicious activity on its network; immediately takes systems offline as a precaution.
Dec 26, 2024
CEO Chandra Smiley confirms the attack publicly. Dental, pharmacy, x-ray, and mammography services are temporarily affected; pediatric and primary care continue on a limited basis.
Jan 12, 2025
CHNF announces systems are fully restored across all 19 locations.
Jan 13, 2025
RansomHub posts CHNF on its dark-web leak site, claiming 68 GB of stolen data and issuing a one-week ransom payment deadline.
Feb 3, 2025
Breach reported to HHS OCR (143,969 affected; Hacking/IT Incident at Network Server).
Mar 6, 2025
CHNF posts an early cybersecurity incident notice on its website (healthcarewithinreach.org).
Jan 19, 2026
Document-by-document forensic review completed with assistance of an outside data mining firm; final list of impacted individuals confirmed.
Jan 26, 2026
CHNF posts substitute notice on its website and begins mailing individual notification letters. Letters include a unique code to enroll in 12 months of free Cyberscout/TransUnion credit monitoring (90-day enrollment window).
Jan 27, 2026
Notice filed with the Vermont Attorney General. Plaintiff firms Strauss Borrelli PLLC and Shamis & Gentile P.A. announce class-action investigations.
Dec 24, 2024
CHNF detects suspicious activity on its network; immediately takes systems offline as a precaution.
Dec 26, 2024
CEO Chandra Smiley confirms the attack publicly. Dental, pharmacy, x-ray, and mammography services are temporarily affected; pediatric and primary care continue on a limited basis.
Jan 12, 2025
CHNF announces systems are fully restored across all 19 locations.
Jan 13, 2025
RansomHub posts CHNF on its dark-web leak site, claiming 68 GB of stolen data and issuing a one-week ransom payment deadline.
Feb 3, 2025
Breach reported to HHS OCR (143,969 affected; Hacking/IT Incident at Network Server).
Mar 6, 2025
CHNF posts an early cybersecurity incident notice on its website (healthcarewithinreach.org).
Jan 19, 2026
Document-by-document forensic review completed with assistance of an outside data mining firm; final list of impacted individuals confirmed.
Jan 26, 2026
CHNF posts substitute notice on its website and begins mailing individual notification letters. Letters include a unique code to enroll in 12 months of free Cyberscout/TransUnion credit monitoring (90-day enrollment window).
Jan 27, 2026
Notice filed with the Vermont Attorney General. Plaintiff firms Strauss Borrelli PLLC and Shamis & Gentile P.A. announce class-action investigations.
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Escambia Community Clinics, Inc., the nonprofit operator of Community Health Northwest Florida (CHNF) in Pensacola, reported a hacking incident to the HHS Office for Civil Rights on February 3, 2025, affecting 143,969 individuals. Founded in 1992 as a small outpatient primary-care clinic, CHNF has grown into a network of 19 locations across the Pensacola area including clinics, school-based sites, pharmacies, dental offices, and optometry practices. The organization employs 377 people and serves approximately 58,820 patients per year, functioning as the primary-care safety net for medically underserved residents of Escambia and Santa Rosa counties.
On December 24, 2024, CHNF detected suspicious activity within its network environment and immediately took its systems offline as a precaution. The attack disrupted phones, email, internet, and servers across all locations, temporarily preventing patients from making appointments or filling prescriptions. CEO Chandra Smiley publicly acknowledged the attack on December 26, 2024, noting that dental, pharmacy, x-ray, and mammography services were temporarily affected while pediatric and primary-care appointments continued on a limited basis. CHNF engaged third-party cybersecurity specialists to investigate and restore operations; by January 12, 2025, the organization announced that all systems were restored. The RansomHub ransomware group posted CHNF on its dark-web leak site on January 13, 2025, claiming 68 GB of stolen data and issuing a one-week ransom payment deadline. CHNF has not publicly confirmed whether a ransom was paid.
RansomHub operates on a ransomware-as-a-service model in which affiliates pay to use the group’s malware and infrastructure to launch attacks. The group first appeared in February 2024 and has since claimed hundreds of attacks across healthcare and other sectors.
The forensic review proved unusually time-consuming. CHNF engaged an outside data mining firm to conduct a file-by-file review of the affected systems. That process was not completed until January 19, 2026, more than 13 months after discovery. CHNF filed an early incident notice with HHS OCR on February 3, 2025, as required by HIPAA’s 60-day reporting deadline, and also posted an early cybersecurity incident notice on its website in March 2025. Individual notification letters were not mailed until January 26, 2026. HIPAA Journal covered this breach as part of its reporting on healthcare organizations that delayed notifying individuals of 2024 incidents by more than a year.
What was exposed
According to the substitute notice and the notification letter distributed to affected individuals, the following data elements were potentially exposed, varying by person:
- Full name
- Date of birth
- Social Security number
- Driver’s license or state identification card number
- Financial account number
- Credit or debit card number
- Patient identification and medical record number
- Medical information
- Health insurance information
The combination of Social Security number, driver’s license number, financial account data, and detailed clinical records places this breach in the most severe category for downstream identity-theft and medical-identity-fraud risk.
What CHNF is offering
CHNF’s January 2026 notification letters offer 12 months of complimentary single-bureau credit monitoring, a credit report, and a credit score through Cyberscout, a TransUnion company, along with proactive fraud assistance. Enrollment requires the unique code provided in the notification letter and must be completed within 90 days of the letter date (letters dated January 26, 2026, so the enrollment window closed approximately April 26, 2026). Enrollment is done online and requires an internet connection and email address; it is not available to minors under 18.
If you did not receive a letter but believe you may be affected, CHNF established a dedicated assistance line at 850-384-4701 (Monday through Friday, 9 a.m. to 6 p.m. Eastern, excluding national holidays). A second assistance number, 833-580-0425 (Monday through Friday, 8 a.m. to 8 p.m. Eastern), has been cited in secondary reports. If your enrollment window has closed, call to ask whether monitoring can still be activated.
Sensitive-population considerations (FQHC)
Community Health Northwest Florida is a federally qualified health center serving the Florida Panhandle. FQHC patient panels typically include populations for whom this kind of disclosure carries above-average harm:
- Medicaid, dual-eligible, and uninsured patients who depend on CHNF as their only realistic primary-care option and cannot easily change providers.
- Patients with behavioral health, HIV, substance-use, or reproductive-health encounters. The breached “medical information” element could include records from these encounters. Under 42 CFR Part 2 (civil enforcement provisions live as of February 16, 2026), substance-use-disorder records carry stronger federal protections than standard HIPAA records and stronger private remedies if improperly re-disclosed.
- Limited-English-proficiency and undocumented patients who may not receive or be able to act on a mailed English-language notification letter.
- Pediatric patients whose Social Security numbers, if exposed, are high-value for synthetic-identity fraud. SSN fraud built on a child’s number can go undetected until the child reaches adulthood and applies for credit or employment.
If you received care at CHNF, including at its Pensacola, Brent Lane, Lillian, Century, or school-based and mobile clinic sites, assume your record may be in scope and take protective steps regardless of whether a letter has reached you.
Class actions
Multiple plaintiff firms announced class-action investigations within days of the January 26, 2026 substitute notice:
- Strauss Borrelli PLLC — announced January 27, 2026
- Shamis & Gentile P.A. — announced January 27, 2026
The fact pattern driving these investigations: a 13-month gap between incident discovery and individual notification, RansomHub’s public exfiltration claim, and the breadth of data elements (SSN plus financial account plus full medical record). No docket number for a filed complaint has been publicly confirmed as of this writing.
What to do
- Freeze your credit at all three bureaus: Equifax (equifax.com), Experian (experian.com), and TransUnion (transunion.com). With SSN, date of birth, and driver’s license number in the leaked set, a credit freeze is the highest-leverage protective step. It is free and reversible.
- Enroll in CHNF’s credit monitoring if your 90-day window is still open. If the deadline has passed, call 850-384-4701 to ask whether enrollment can still be activated. Enrollment does not waive any legal claims.
- File IRS Form 14039 (Identity Theft Affidavit) if you are concerned about tax-return fraud. With Social Security numbers confirmed in scope, tax-identity theft is a real risk.
- Pull your medical records and explanation-of-benefits statements from CHNF and from any insurer that covered your CHNF care. Flag any services, prescriptions, or referrals you do not recognize. Medical-identity theft is harder to detect than financial fraud and harder to unwind.
- Watch financial accounts and card statements closely for the next 12 to 24 months. Threat actors often hold compromised financial data for months before monetizing it.
- Be alert for targeted phishing referencing CHNF, your provider, or your medications. Attackers who exfiltrate clinical records frequently use those details to craft convincing follow-on messages.
- If you are a parent of a CHNF pediatric patient: freeze your child’s credit at all three bureaus now. Synthetic-identity fraud built on a child’s SSN can go undetected for years.
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests so the medical and insurance information exposed in this breach is not continuously re-shared with insurers, data brokers, and third-party health networks.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Vermont Attorney General – CHNF data breach notice (filed Jan 26, 2026)
- Community Health Northwest Florida – Official cybersecurity incident notice (Mar 6, 2025)
- Strauss Borrelli PLLC – Community Health Northwest Florida investigation
- Shamis & Gentile P.A. – Community Health Northwest Florida investigation (via ClaimDepot)
- ClassAction.org – Community Health Northwest Florida (January 2026)
- ClaimDepot – Community Health NW Florida breach exposes protected information
- Comparitech – Ransomware gang says it hacked Pensacola, FL medical clinics (updated Jan 27, 2026)
- Pensacola News Journal – Community Health Northwest Florida targeted in cyber attack (Dec 27, 2024)
- HIPAA Journal – Patients Learn Their Health Data Was Compromised More Than a Year Later
- WEAR TV ABC 3 – CEO assures data safety as Community Health NW Florida recovers from cyber breach
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.