Active breach tracker Jacksonville, Florida Disclosed May 29, 2025

Gateway Community Services Data Breach 2025: 34,498 Jacksonville SUD + Behavioral Health Patients Exposed. Payouts King Claimed 890 GB. What To Do

Gateway Community Services, Inc., a Jacksonville, Florida behavioral health and substance-use disorder treatment provider, disclosed an April 11, 2025 network intrusion affecting 34,498 current and former patients. Names, SSNs, government IDs, medical treatment information, and health insurance details were exposed. New ransomware group Payouts King later claimed responsibility for 890 GB of exfiltrated data. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 11, 2025

Unauthorized party gained access to GCS network

Apr 11, 2025

Breach detected

May 16, 2025

Forensic review of affected files completed

May 29, 2025

Filed with HHS OCR (34,498 affected); individual notifications mailed

Jun 27, 2025

Payouts King listed GCS on its dark-web leak site, claiming 890 GB

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license or state identification number

02

Health records

Don't expire and can't be reissued

Medical treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Address Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood (publicly investigating) Strauss Borrelli PLLC (publicly investigating) Cole & Van Note (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Gateway Community Services, Inc. (GCS) is a Jacksonville, Florida-based nonprofit that has provided behavioral health and substance-use disorder (SUD) treatment for more than 45 years, operating five rehabilitation facilities across northeast Florida with detox, residential, and outpatient programs. On April 11, 2025, an unauthorized actor accessed the GCS network and exfiltrated patient files. GCS filed with HHS OCR on May 29, 2025, reporting 34,498 affected current and former patients. In late June 2025, a new ransomware group calling itself Payouts King publicly listed GCS on its dark-web leak site and claimed to have stolen 890 GB of data, including PII, identity documents, and medical records.

Timeline

  • April 11, 2025 — Unauthorized party gained access to GCS’s network environment.
  • May 16, 2025 — Forensic review of affected files completed; final list of affected individuals obtained.
  • May 29, 2025 — GCS filed the incident with the HHS Office for Civil Rights as a Hacking/IT Incident at a Network Server, reporting 34,498 affected, and began mailing individual notification letters.
  • June 27, 2025 — Payouts King added GCS to its dark-web leak site, claiming responsibility and asserting it had exfiltrated 890 GB.

What was exposed

Per GCS’s notification, the data elements potentially accessed or exfiltrated include, varying by individual:

  • Full name and address
  • Date of birth
  • Social Security number
  • Driver’s license or state identification number
  • Medical treatment information
  • Health insurance information

Payouts King’s leak-site post claims the stolen trove also includes identity documents and “full info” on thousands of patients. GCS has stated it has no evidence of misuse as of its notification but is offering 12 months of complimentary credit monitoring and identity-theft protection.

Sensitive-population considerations

GCS is, by its own description, a behavioral health and substance-use disorder treatment provider. That carries two specific consequences for affected patients that a typical hospital breach does not:

  • 42 CFR Part 2 likely applies. Federal Part 2 regulations protect the confidentiality of records of patients who have received diagnosis, treatment, or referral for SUD from a federally-assisted Part 2 program. Part 2 is significantly stricter than HIPAA — it generally prohibits the redisclosure of SUD treatment records without patient consent, even to law enforcement, and even within the healthcare system. If you are a current or former GCS SUD patient and your treatment records were among the files exfiltrated, those records were Part 2 records before the breach, and your Part 2 rights survive the breach. You may demand an accounting of disclosures, request restrictions on redisclosure, and (in some circumstances) seek civil penalties for unauthorized redisclosure.
  • Behavioral health sensitivity. Mental health diagnoses, medications, and treatment history carry social, employment, custody, immigration, and insurance-underwriting consequences that medical-only records typically do not. If Payouts King’s claim of 890 GB is accurate and the data is posted publicly or sold, the downstream risk extends well beyond financial identity theft.

If you received SUD treatment from GCS, treat this breach as a Part 2 event in addition to a HIPAA event.

Class-action posture

Multiple plaintiffs’ firms publicly announced investigations in June 2025, including Federman & Sherwood, Strauss Borrelli PLLC, and Cole & Van Note. ClassAction.org’s pre-filing investigation page on this breach is now listed as completed without an active lawsuit filing visible on that page. We have not located a docketed complaint in the Middle District of Florida as of this writing; the page will be updated if and when a complaint is filed.

What to do

  1. Enroll in the credit monitoring offered in your GCS notification letter (12 months).
  2. Place free credit freezes at all three nationwide credit bureaus (Equifax, Experian, TransUnion). This is the single most effective step against new-account identity theft.
  3. Set fraud alerts on your credit file and review your bank, credit card, and health insurance statements for the next 12-24 months.
  4. File IRS Form 14039 (Identity Theft Affidavit) if you see any signs of tax-related identity theft, since SSNs were in scope.
  5. If you received SUD treatment from GCS, exercise your 42 CFR Part 2 rights. Request an accounting of disclosures, and put any third party that receives your records on notice of the Part 2 redisclosure prohibition.
  6. Stop the ongoing flow of your behavioral health data. HealthConsent files HIPAA restriction requests and Part 2 redisclosure restrictions on your behalf and tracks the responses.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.