Heartland Health Center Data Breach 2025: 43,728 Patients Exposed in MEDUSA Ransomware Attack on Nebraska FQHC. What To Do
Heartland Health Center, a Nebraska Federally Qualified Health Center (FQHC) with clinics in Grand Island, Ravenna, and Hastings, disclosed a February 2025 MEDUSA ransomware attack affecting 43,728 patients. Names, Social Security numbers, driver's license numbers, financial information, and medical information exposed. Multiple plaintiffs' firms investigating class actions. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
May 9, 2024
Prior LockBit ransomware attack on Heartland Health Center (separate incident, included for context)
Feb 1, 2025
Attacker gained access
Feb 4, 2025
Heartland detects unauthorized access to its network environment; forensic investigation begins
Jun 3, 2025
File review completes; affected individuals identified
Aug 26, 2025
Confirmation that exposed files contained protected health information
Oct 17, 2025
Individual notification letters mailed; HHS OCR portal submission (43,728 affected; Network Server; Hacking/IT Incident)
Oct 17, 2025
Disclosed publicly
Oct 27, 2025
Strauss Borrelli PLLC publicly announces class-action investigation
Dec 17, 2025
Federman & Sherwood publicly announces data breach investigation
May 9, 2024
Prior LockBit ransomware attack on Heartland Health Center (separate incident, included for context)
Feb 1, 2025
Attacker gained access
Feb 4, 2025
Heartland detects unauthorized access to its network environment; forensic investigation begins
Jun 3, 2025
File review completes; affected individuals identified
Aug 26, 2025
Confirmation that exposed files contained protected health information
Oct 17, 2025
Individual notification letters mailed; HHS OCR portal submission (43,728 affected; Network Server; Hacking/IT Incident)
Oct 17, 2025
Disclosed publicly
Oct 27, 2025
Strauss Borrelli PLLC publicly announces class-action investigation
Dec 17, 2025
Federman & Sherwood publicly announces data breach investigation
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Heartland Health Center, a Nebraska Federally Qualified Health Center (FQHC), filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on October 17, 2025, reporting 43,728 affected individuals in a Hacking/IT Incident at a Network Server. The MEDUSA ransomware group has publicly claimed responsibility.
What happened
Heartland Health Center, Inc. is a Federally Qualified Health Center headquartered in Grand Island, Nebraska, with additional clinics in Ravenna and Hastings. The center serves central Nebraska with family and general practice, pediatrics, women’s health, behavioral health, and dental services. FQHCs typically serve a sliding-scale, Medicaid, and uninsured patient population.
The breach appears to have begun around February 1, 2025, based on the incident date reported in Heartland’s notification letters. Heartland detected the unauthorized access on February 4, 2025. Ransomware.live records MEDUSA’s own leak-site posting as discovered on February 25, 2025, with an estimated attack date of February 24. The MEDUSA ransomware group claimed responsibility, posted sample screenshots of stolen data, and threatened to publish the full data set within 11 to 12 days. Heartland’s public notice describes the event as unauthorized network access and does not formally use the word “ransomware.”
A forensic file review completed on June 3, 2025 identified the affected individuals. By August 26, 2025, Heartland confirmed that exposed files contained protected health information. Individual notification letters were mailed on October 17, 2025, and the HHS OCR portal entry was filed the same day at 43,728 affected.
This is the second publicly reported ransomware attack on Heartland Health Center. The LockBit group hit the entity on May 9, 2024 in a separate incident.
Timeline
- 2024-05-09 — Prior LockBit ransomware attack on Heartland Health Center (separate incident, included for context).
- 2025-02-04 — Unauthorized access detected; forensic investigation begins.
- 2025-06-03 — File review completes; affected individuals identified.
- 2025-08-26 — Confirmation that exposed files contained protected health information.
- 2025-10-17 — Individual notification letters mailed; substitute notice posted for individuals without valid addresses. HHS OCR portal submission posts at 43,728 affected (Network Server; Hacking/IT Incident). Multi-state AG notifications filed (confirmed for Massachusetts and Montana; additional filings to California, Iowa, Maine, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington documented by public aggregators).
- 2025-10-27 — Strauss Borrelli PLLC publicly announces a class-action investigation.
- 2025-12-17 — Federman & Sherwood publicly announces a data breach investigation.
What was exposed
Per Heartland’s notice, the data elements involved vary by individual and may include:
- Name
- Date of birth
- Social Security number
- Driver’s license number
- Financial account number
- Username and access information for a non-financial account
- Dates of service
- Diagnosis information
- Health insurance information
- Physician / medical facility information
- Medical condition / treatment information
- Medical record number
- Medicare or Medicaid number
- Patient account number
- Certificate or license number
- Full face photo
- Referral information
The MEDUSA leak-site posting confirms the attacker possessed actual sample files (not merely a claim). Read your specific notification letter for the elements that apply to your case.
What Heartland is offering
Affected individuals whose Social Security numbers or driver’s license numbers were exposed have been offered 12 months of complimentary credit monitoring, cyber monitoring, and identity theft protection services through TransUnion / Cyberscout. The activation code is included in your individual notification letter.
A dedicated call center is available at 1-833-426-5380, Monday through Friday, 8 a.m. to 8 p.m. Eastern Time. Representatives were available for 90 days from the October 17, 2025 mailing date; to continue receiving support beyond that window, enrollment in the monitoring services is required. For direct questions to Heartland, contact Operations Director Laura Salber at [email protected] or (308) 646-3568. CEO Tami Smith signed the notification letter.
A substitute notice was posted publicly for individuals who could not be reached by mail. Heartland also engaged third-party forensic and cybersecurity experts, notified law enforcement, and states it has implemented additional safeguards.
Class-action posture
At least six plaintiffs’ firms have publicly opened investigations:
- Federman & Sherwood
- Cafferty Clobes Meriwether & Sprengel LLP
- Strauss Borrelli PLLC (announced 2025-10-27)
- Markovits, Stock & DeMarco, LLC
- Dapeer Law
- Console & Associates, P.C.
Given the SSN-plus-driver’s-license-plus-medical-records scope, the patient-population vulnerability (FQHC / Medicaid-heavy), and the entity’s repeat-victim status (LockBit 2024, MEDUSA 2025), class certification is plausible. We will update this page as complaints are docketed.
What to do if you may be affected
- Read your specific notification letter to confirm what data elements were involved for you.
- Enroll in the offered 12 months of TransUnion / Cyberscout credit monitoring using the activation code in your letter.
- Place free credit freezes at Equifax, Experian, and TransUnion. Full SSN and driver’s license number are in scope; a freeze is the highest-leverage protective step.
- File IRS Form 14039 (Identity Theft Affidavit) if you see suspicious tax-return activity.
- Replace your driver’s license through the Nebraska DMV if your DL number was exposed. Nebraska does not auto-reissue after breaches.
- If you are a Medicare or Medicaid recipient, watch your Explanation of Benefits and Notice of Action statements for unfamiliar claims. Medical-identity fraud can disrupt eligibility.
- Cancel and reissue any payment cards that may be tied to Heartland billing if a financial account number was exposed.
- Stop the ongoing flow of your community health center data. HealthConsent files HIPAA restriction requests covering FQHC, Medicaid managed care, behavioral-health, and prescription-network pathways.
Sources on this page
- HIPAA Journal: Sedgebrook & Heartland Health Center Ransomware Attacks — established trade-press coverage; data elements; credit-monitoring details.
- RedPacket Security: MEDUSA Ransomware Victim - Heartland Health Center — attacker attribution; dark-web leak-site listing.
- Strauss Borrelli PLLC: Heartland Investigation — class-action investigation announcement.
- Federman & Sherwood: Heartland Investigation — plaintiff-firm investigation.
- Cafferty Clobes Meriwether & Sprengel: Heartland Investigation — plaintiff-firm investigation.
- Markovits, Stock & DeMarco: Heartland Class Action Investigation — plaintiff-firm investigation.
- ClaimDepot: Heartland Health Breach 43,728 — aggregated breach detail.
- calHIPAA: October 2025 Healthcare Data Breach Report — monthly OCR roll-up confirming filing.
- Nebraska AG Data Breach Public Search — state regulatory filing index.
- Montana DOJ: Heartland Health Center Consumer Notification Letter (Oct 17, 2025) — state-filed copy of the actual notification letter; confirms call center number, contact personnel, and credit monitoring details.
- Ransomware.live: MEDUSA — Heartland Health Center — threat-intel mirror of the MEDUSA dark-web listing; records discovery date of 2025-02-25 and estimated attack date of 2025-02-24.
- HHS Office for Civil Rights Breach Portal — federal regulatory record of this breach.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: Sedgebrook & Heartland Health Center Ransomware Attacks
- RedPacket Security: MEDUSA Ransomware Victim - Heartland Health Center
- Strauss Borrelli PLLC: Heartland Health Center Investigation (2025-10-27)
- Federman & Sherwood: Heartland Health Center Investigation
- Cafferty Clobes Meriwether & Sprengel: Heartland Investigation
- Markovits, Stock & DeMarco: Heartland Health Class Action Investigation
- ClaimDepot: Heartland Health Breach Exposes SSNs & Health Info of 43,728
- calHIPAA: Healthcare Data Breach Report for October 2025
- Nebraska AG: Data Breach Public Search Portal
- Montana DOJ: Heartland Health Center Consumer Notification Letter (Oct 17, 2025)
- Ransomware.live: MEDUSA — Heartland Health Center (discovered 2025-02-25)
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.