Active breach tracker Grand Island, NE HQ Disclosed October 17, 2025

Heartland Health Center Data Breach 2025: 43,728 Patients Exposed in MEDUSA Ransomware Attack on Nebraska FQHC. What To Do

Heartland Health Center, a Nebraska Federally Qualified Health Center (FQHC) with clinics in Grand Island, Ravenna, and Hastings, disclosed a February 2025 MEDUSA ransomware attack affecting 43,728 patients. Names, Social Security numbers, driver's license numbers, financial information, and medical information exposed. Multiple plaintiffs' firms investigating class actions. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 9, 2024

Prior LockBit ransomware attack on Heartland Health Center (separate incident, included for context)

Feb 1, 2025

Attacker gained access

Feb 4, 2025

Heartland detects unauthorized access to its network environment; forensic investigation begins

Jun 3, 2025

File review completes; affected individuals identified

Aug 26, 2025

Confirmation that exposed files contained protected health information

Oct 17, 2025

Individual notification letters mailed; HHS OCR portal submission (43,728 affected; Network Server; Hacking/IT Incident)

Oct 17, 2025

Disclosed publicly

Oct 27, 2025

Strauss Borrelli PLLC publicly announces class-action investigation

Dec 17, 2025

Federman & Sherwood publicly announces data breach investigation

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number Certificate or license number

02

Health records

Don't expire and can't be reissued

Diagnosis information Medical condition / treatment information Medical record number

03

Contact & insurance

Phishing + targeted scams

Full name Financial account information Username and access information for a non-financial account Dates of service Health insurance information Physician / medical facility information Medicare or Medicaid number Patient account number Full face photo Referral information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood (publicly investigating) Cafferty Clobes Meriwether & Sprengel LLP (publicly investigating) Strauss Borrelli PLLC (publicly investigating; announced 2025-10-27) Markovits, Stock & DeMarco, LLC (publicly investigating) Dapeer Law (publicly investigating) Console & Associates, P.C. (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Heartland Health Center, a Nebraska Federally Qualified Health Center (FQHC), filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on October 17, 2025, reporting 43,728 affected individuals in a Hacking/IT Incident at a Network Server. The MEDUSA ransomware group has publicly claimed responsibility.

What happened

Heartland Health Center, Inc. is a Federally Qualified Health Center headquartered in Grand Island, Nebraska, with additional clinics in Ravenna and Hastings. The center serves central Nebraska with family and general practice, pediatrics, women’s health, behavioral health, and dental services. FQHCs typically serve a sliding-scale, Medicaid, and uninsured patient population.

The breach appears to have begun around February 1, 2025, based on the incident date reported in Heartland’s notification letters. Heartland detected the unauthorized access on February 4, 2025. Ransomware.live records MEDUSA’s own leak-site posting as discovered on February 25, 2025, with an estimated attack date of February 24. The MEDUSA ransomware group claimed responsibility, posted sample screenshots of stolen data, and threatened to publish the full data set within 11 to 12 days. Heartland’s public notice describes the event as unauthorized network access and does not formally use the word “ransomware.”

A forensic file review completed on June 3, 2025 identified the affected individuals. By August 26, 2025, Heartland confirmed that exposed files contained protected health information. Individual notification letters were mailed on October 17, 2025, and the HHS OCR portal entry was filed the same day at 43,728 affected.

This is the second publicly reported ransomware attack on Heartland Health Center. The LockBit group hit the entity on May 9, 2024 in a separate incident.

Timeline

  • 2024-05-09 — Prior LockBit ransomware attack on Heartland Health Center (separate incident, included for context).
  • 2025-02-04 — Unauthorized access detected; forensic investigation begins.
  • 2025-06-03 — File review completes; affected individuals identified.
  • 2025-08-26 — Confirmation that exposed files contained protected health information.
  • 2025-10-17 — Individual notification letters mailed; substitute notice posted for individuals without valid addresses. HHS OCR portal submission posts at 43,728 affected (Network Server; Hacking/IT Incident). Multi-state AG notifications filed (confirmed for Massachusetts and Montana; additional filings to California, Iowa, Maine, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington documented by public aggregators).
  • 2025-10-27 — Strauss Borrelli PLLC publicly announces a class-action investigation.
  • 2025-12-17 — Federman & Sherwood publicly announces a data breach investigation.

What was exposed

Per Heartland’s notice, the data elements involved vary by individual and may include:

  • Name
  • Date of birth
  • Social Security number
  • Driver’s license number
  • Financial account number
  • Username and access information for a non-financial account
  • Dates of service
  • Diagnosis information
  • Health insurance information
  • Physician / medical facility information
  • Medical condition / treatment information
  • Medical record number
  • Medicare or Medicaid number
  • Patient account number
  • Certificate or license number
  • Full face photo
  • Referral information

The MEDUSA leak-site posting confirms the attacker possessed actual sample files (not merely a claim). Read your specific notification letter for the elements that apply to your case.

What Heartland is offering

Affected individuals whose Social Security numbers or driver’s license numbers were exposed have been offered 12 months of complimentary credit monitoring, cyber monitoring, and identity theft protection services through TransUnion / Cyberscout. The activation code is included in your individual notification letter.

A dedicated call center is available at 1-833-426-5380, Monday through Friday, 8 a.m. to 8 p.m. Eastern Time. Representatives were available for 90 days from the October 17, 2025 mailing date; to continue receiving support beyond that window, enrollment in the monitoring services is required. For direct questions to Heartland, contact Operations Director Laura Salber at [email protected] or (308) 646-3568. CEO Tami Smith signed the notification letter.

A substitute notice was posted publicly for individuals who could not be reached by mail. Heartland also engaged third-party forensic and cybersecurity experts, notified law enforcement, and states it has implemented additional safeguards.

Class-action posture

At least six plaintiffs’ firms have publicly opened investigations:

  • Federman & Sherwood
  • Cafferty Clobes Meriwether & Sprengel LLP
  • Strauss Borrelli PLLC (announced 2025-10-27)
  • Markovits, Stock & DeMarco, LLC
  • Dapeer Law
  • Console & Associates, P.C.

Given the SSN-plus-driver’s-license-plus-medical-records scope, the patient-population vulnerability (FQHC / Medicaid-heavy), and the entity’s repeat-victim status (LockBit 2024, MEDUSA 2025), class certification is plausible. We will update this page as complaints are docketed.

What to do if you may be affected

  1. Read your specific notification letter to confirm what data elements were involved for you.
  2. Enroll in the offered 12 months of TransUnion / Cyberscout credit monitoring using the activation code in your letter.
  3. Place free credit freezes at Equifax, Experian, and TransUnion. Full SSN and driver’s license number are in scope; a freeze is the highest-leverage protective step.
  4. File IRS Form 14039 (Identity Theft Affidavit) if you see suspicious tax-return activity.
  5. Replace your driver’s license through the Nebraska DMV if your DL number was exposed. Nebraska does not auto-reissue after breaches.
  6. If you are a Medicare or Medicaid recipient, watch your Explanation of Benefits and Notice of Action statements for unfamiliar claims. Medical-identity fraud can disrupt eligibility.
  7. Cancel and reissue any payment cards that may be tied to Heartland billing if a financial account number was exposed.
  8. Stop the ongoing flow of your community health center data. HealthConsent files HIPAA restriction requests covering FQHC, Medicaid managed care, behavioral-health, and prescription-network pathways.

Sources on this page

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.