Harbor Data Breach 2025: 216,000 Ohio Mental Health & SUD Patients Exposed. SSNs, Treatment Records, 42 CFR Part 2. What To Do
Harbor, the Toledo-based nonprofit behavioral health and substance use disorder provider serving 30,000+ Ohioans annually, disclosed a July 25–August 1, 2025 network intrusion exposing names, Social Security numbers, driver's licenses, financial accounts, and mental health/SUD treatment records for 216,000 individuals. 42 CFR Part 2 applies. Federman & Sherwood is investigating. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jul 25, 2025
Unauthorized actor begins accessing Harbor's network
Aug 1, 2025
Suspicious activity detected; access cut off; law enforcement notified
Sep 30, 2025
Public substitute notice posted to harbor.org; website notification begins
Sep 30, 2025
Disclosed publicly
Oct 24, 2025
Written notification letters mailed; Maine, Massachusetts, and Montana AG filings
Nov 4, 2025
Federman & Sherwood announces class-action investigation
Jul 25, 2025
Unauthorized actor begins accessing Harbor's network
Aug 1, 2025
Suspicious activity detected; access cut off; law enforcement notified
Sep 30, 2025
Public substitute notice posted to harbor.org; website notification begins
Sep 30, 2025
Disclosed publicly
Oct 24, 2025
Written notification letters mailed; Maine, Massachusetts, and Montana AG filings
Nov 4, 2025
Federman & Sherwood announces class-action investigation
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Harbor is the operating name of Harbor Inc., a Toledo-headquartered 501(c)(3) nonprofit behavioral health agency founded in 1946. It runs 19 locations across northwest Ohio and serves more than 30,000 Ohioans annually with mental health treatment, substance use disorder (SUD) treatment, primary care, vocational rehabilitation, residential rehab, telehealth, peer support, and OhioRISE care coordination for youth.
On August 1, 2025, Harbor detected suspicious activity on its computer network. Forensic investigation determined that an unauthorized actor accessed Harbor’s network between July 25 and August 1, 2025 and exfiltrated files containing patient and employee information. Harbor notified law enforcement, posted a substitute notice on harbor.org on September 30, 2025, and began mailing written notification letters on or about October 24, 2025. Harbor also filed regulatory notifications with the Maine, Massachusetts, and Montana Attorneys General on or around the same date. The Maine AG filing documented five Maine residents among those notified.
Total affected: 216,000 individuals (figure tracked through state AG aggregator reporting; consistent with the HHS OCR portal entry for the incident).
Timeline
- July 25, 2025 — Unauthorized access to Harbor’s network begins.
- August 1, 2025 — Suspicious activity detected; access terminated; law enforcement notified.
- September 30, 2025 — Public substitute notice posted to harbor.org.
- October 24, 2025 — Written notification letters mailed; Maine, Massachusetts, and Montana AG filings. Maine AG filing documented five Maine residents notified.
- November 4, 2025 — Federman & Sherwood publicly announces class-action investigation.
What was exposed
Per Harbor’s public notice, the specific data elements vary by individual but could include any combination of:
- Full name
- Address
- Date of birth
- Social Security number
- Driver’s license number or other state ID number
- Financial account information
- Health insurance information
- Medical diagnosis and treatment information
- Clinical information (mental health and SUD treatment records)
Read your individual notification letter carefully — it lists the exact fields exposed for you.
Sensitive-population considerations — 42 CFR Part 2 applies
Harbor is a federally-assisted SUD treatment program, so a meaningful portion of the compromised records are protected by 42 CFR Part 2 in addition to HIPAA. Part 2 imposes stricter consent and re-disclosure rules than HIPAA, gives patients a private remedy for unauthorized re-disclosure, and is now jointly enforced by HHS OCR under the unified rule effective February 16, 2026.
In plain terms: clinical and treatment records exfiltrated from a Part 2 program carry heightened legal weight. If those records surface anywhere downstream (data broker dossiers, dark-web markets, secondary breach indexes) and are re-disclosed without your consent, you have remedies that ordinary HIPAA breach victims do not. Harbor’s public notice does not explicitly invoke Part 2 by name, which itself may become a focal point in litigation.
For mental health and SUD patients, the practical harm from this breach is not only identity theft. It is the existence of a file, somewhere outside Harbor’s network, naming you as a behavioral health patient and describing your diagnosis and treatment.
Class-action posture
- Federman & Sherwood (Oklahoma City) announced a class-action investigation on November 4, 2025.
- The Lyon Firm is also publicly investigating and soliciting plaintiffs.
- Dapeer Law, P.A. is publicly investigating and accepting inquiries from affected individuals.
- No consolidated complaint has been publicly identified in the Northern District of Ohio as of this update. All three firms remain at the investigation stage. We will update this section when a docket entry appears.
What Harbor is offering
- Complimentary credit monitoring and identity protection through Epiq: one-bureau credit monitoring with alerts, dark-web monitoring, credit-freeze assistance, change-of-address monitoring, and identity restoration support.
- Dedicated call center: 855-291-2669 (Monday–Friday, 9 a.m. to 9 p.m.).
- Enrollment instructions are in the individual letter.
What to do
- Enroll in the Epiq monitoring using the activation code in your letter. Do not skip this step — full SSN is in scope for many in the class.
- Place free credit freezes at all three nationwide bureaus (Equifax, Experian, TransUnion). About ten minutes per bureau. This is the single highest-leverage step against new-account identity theft.
- File IRS Form 14039 (Identity Theft Affidavit) if you have not already, so a tax-refund fraudster cannot file in your name.
- Watch your health-insurance Explanation of Benefits statements for services you did not receive — medical identity theft uses your insurance, not your credit.
- If you are an SUD patient, document any unauthorized re-disclosure of your treatment records. Part 2 gives you stronger private remedies than HIPAA alone.
- Stop the ongoing flow of your treatment data downstream. HealthConsent files HIPAA and 42 CFR Part 2 restriction requests with covered entities and their downstream recipients, so the highly sensitive behavioral health data exposed in this breach is not continuously re-shared in routine treatment, payment, and operations disclosures.
Continue reading
Sources
- WTOL 11: Harbor, Toledo-based mental health services, investigating data breach
- 13abc: Harbor warns patients, employees of data breach
- Spectrum News 1: Ohio-based substance use, mental health treatment provider warns of data breach
- Federman & Sherwood: Harbor Data Breach Investigation
- The Lyon Firm: Harbor Data Breach Investigation
- ClaimDepot: Harbor Data Breach (216,000 affected)
- ClaimDepot: Harbor Data Breach Lawsuit Investigation (Dapeer Law investigating)
- JoinTheCase: Harbor Data Breach Lawsuit Investigation
- HHS OCR Breach Portal
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- WTOL 11: Harbor, Toledo-based mental health services, investigating data breach
- 13abc: Harbor warns patients, employees of data breach
- Spectrum News 1: Ohio-based substance use, mental health treatment provider warns of data breach
- Federman & Sherwood: Harbor Data Breach Investigation
- The Lyon Firm: Harbor Data Breach Investigation
- ClaimDepot: Harbor Data Breach Exposes Patients' Social Security Numbers (216,000 affected)
- ClaimDepot: Harbor Data Breach Lawsuit Investigation (Dapeer Law investigating)
- JoinTheCase: Harbor Data Breach Lawsuit Investigation
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.