Active breach tracker Toledo, Ohio Disclosed September 30, 2025

Harbor Data Breach 2025: 216,000 Ohio Mental Health & SUD Patients Exposed. SSNs, Treatment Records, 42 CFR Part 2. What To Do

Harbor, the Toledo-based nonprofit behavioral health and substance use disorder provider serving 30,000+ Ohioans annually, disclosed a July 25–August 1, 2025 network intrusion exposing names, Social Security numbers, driver's licenses, financial accounts, and mental health/SUD treatment records for 216,000 individuals. 42 CFR Part 2 applies. Federman & Sherwood is investigating. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jul 25, 2025

Unauthorized actor begins accessing Harbor's network

Aug 1, 2025

Suspicious activity detected; access cut off; law enforcement notified

Sep 30, 2025

Public substitute notice posted to harbor.org; website notification begins

Sep 30, 2025

Disclosed publicly

Oct 24, 2025

Written notification letters mailed; Maine, Massachusetts, and Montana AG filings

Nov 4, 2025

Federman & Sherwood announces class-action investigation

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number or state ID number

02

Health records

Don't expire and can't be reissued

Medical diagnosis and treatment information Clinical information (mental health and SUD treatment records, 42 CFR Part 2 protected)

03

Contact & insurance

Phishing + targeted scams

Full name Address Financial account information Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood (publicly investigating, announced November 4, 2025) The Lyon Firm (publicly investigating) Dapeer Law, P.A. (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Harbor is the operating name of Harbor Inc., a Toledo-headquartered 501(c)(3) nonprofit behavioral health agency founded in 1946. It runs 19 locations across northwest Ohio and serves more than 30,000 Ohioans annually with mental health treatment, substance use disorder (SUD) treatment, primary care, vocational rehabilitation, residential rehab, telehealth, peer support, and OhioRISE care coordination for youth.

On August 1, 2025, Harbor detected suspicious activity on its computer network. Forensic investigation determined that an unauthorized actor accessed Harbor’s network between July 25 and August 1, 2025 and exfiltrated files containing patient and employee information. Harbor notified law enforcement, posted a substitute notice on harbor.org on September 30, 2025, and began mailing written notification letters on or about October 24, 2025. Harbor also filed regulatory notifications with the Maine, Massachusetts, and Montana Attorneys General on or around the same date. The Maine AG filing documented five Maine residents among those notified.

Total affected: 216,000 individuals (figure tracked through state AG aggregator reporting; consistent with the HHS OCR portal entry for the incident).

Timeline

  • July 25, 2025 — Unauthorized access to Harbor’s network begins.
  • August 1, 2025 — Suspicious activity detected; access terminated; law enforcement notified.
  • September 30, 2025 — Public substitute notice posted to harbor.org.
  • October 24, 2025 — Written notification letters mailed; Maine, Massachusetts, and Montana AG filings. Maine AG filing documented five Maine residents notified.
  • November 4, 2025 — Federman & Sherwood publicly announces class-action investigation.

What was exposed

Per Harbor’s public notice, the specific data elements vary by individual but could include any combination of:

  • Full name
  • Address
  • Date of birth
  • Social Security number
  • Driver’s license number or other state ID number
  • Financial account information
  • Health insurance information
  • Medical diagnosis and treatment information
  • Clinical information (mental health and SUD treatment records)

Read your individual notification letter carefully — it lists the exact fields exposed for you.

Sensitive-population considerations — 42 CFR Part 2 applies

Harbor is a federally-assisted SUD treatment program, so a meaningful portion of the compromised records are protected by 42 CFR Part 2 in addition to HIPAA. Part 2 imposes stricter consent and re-disclosure rules than HIPAA, gives patients a private remedy for unauthorized re-disclosure, and is now jointly enforced by HHS OCR under the unified rule effective February 16, 2026.

In plain terms: clinical and treatment records exfiltrated from a Part 2 program carry heightened legal weight. If those records surface anywhere downstream (data broker dossiers, dark-web markets, secondary breach indexes) and are re-disclosed without your consent, you have remedies that ordinary HIPAA breach victims do not. Harbor’s public notice does not explicitly invoke Part 2 by name, which itself may become a focal point in litigation.

For mental health and SUD patients, the practical harm from this breach is not only identity theft. It is the existence of a file, somewhere outside Harbor’s network, naming you as a behavioral health patient and describing your diagnosis and treatment.

Class-action posture

  • Federman & Sherwood (Oklahoma City) announced a class-action investigation on November 4, 2025.
  • The Lyon Firm is also publicly investigating and soliciting plaintiffs.
  • Dapeer Law, P.A. is publicly investigating and accepting inquiries from affected individuals.
  • No consolidated complaint has been publicly identified in the Northern District of Ohio as of this update. All three firms remain at the investigation stage. We will update this section when a docket entry appears.

What Harbor is offering

  • Complimentary credit monitoring and identity protection through Epiq: one-bureau credit monitoring with alerts, dark-web monitoring, credit-freeze assistance, change-of-address monitoring, and identity restoration support.
  • Dedicated call center: 855-291-2669 (Monday–Friday, 9 a.m. to 9 p.m.).
  • Enrollment instructions are in the individual letter.

What to do

  1. Enroll in the Epiq monitoring using the activation code in your letter. Do not skip this step — full SSN is in scope for many in the class.
  2. Place free credit freezes at all three nationwide bureaus (Equifax, Experian, TransUnion). About ten minutes per bureau. This is the single highest-leverage step against new-account identity theft.
  3. File IRS Form 14039 (Identity Theft Affidavit) if you have not already, so a tax-refund fraudster cannot file in your name.
  4. Watch your health-insurance Explanation of Benefits statements for services you did not receive — medical identity theft uses your insurance, not your credit.
  5. If you are an SUD patient, document any unauthorized re-disclosure of your treatment records. Part 2 gives you stronger private remedies than HIPAA alone.
  6. Stop the ongoing flow of your treatment data downstream. HealthConsent files HIPAA and 42 CFR Part 2 restriction requests with covered entities and their downstream recipients, so the highly sensitive behavioral health data exposed in this breach is not continuously re-shared in routine treatment, payment, and operations disclosures.

Continue reading

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.