Active breach tracker Wichita, Kansas Disclosed May 15, 2025

Hunter Health Clinic Data Breach 2025: 28,431 Patients · Wichita FQHC Hacking/IT Incident · Class-Action Investigations Open

Hunter Health Clinic, the federally qualified health center serving Wichita, Kansas since 1976 and the only Urban Indian Health Program in the state, filed a HIPAA breach notification with HHS OCR on May 15, 2025 reporting 28,431 affected individuals from a Hacking/IT Incident classified as Network Server. Unauthorized access to an employee email account ran from September 27 to September 30, 2024 and was confirmed May 1, 2025. Exposed data includes Social Security numbers, dates of birth, driver's license and state ID numbers, financial account information, medical and clinical information, patient account numbers, and health insurance information. Twelve months of IDX identity-theft protection offered. Multiple plaintiff-side firms publicly investigating.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 27, 2024

Unauthorized access to an employee email account begins (per Hunter Health notice)

Sep 30, 2024

Hunter Health identifies unauthorized access and secures the email account; third-party forensic specialists engaged

May 1, 2025

Forensic review of mailbox contents concludes; data elements implicated for affected individuals confirmed

May 15, 2025

HHS OCR breach filing: 28,431 affected; Hacking/IT Incident, Network Server. Individual notification letters mailed; 12 months of IDX identity-theft protection offered

May 16, 2025

Strauss Borrelli PLLC publicly announces investigation

May 20, 2025

Local Wichita press (KWCH, KAKE, KSN) report the notification; Hunter Health publishes patient FAQ at 1-877-547-9047

May 27, 2025

Morgan & Morgan publishes consumer alert; Federman & Sherwood and Arnold Law Firm investigations also publicly active

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers Driver's license, state ID, and other government ID numbers

02

Health records

Don't expire and can't be reissued

Medical and clinical information

03

Contact & insurance

Phishing + targeted scams

Names Dates of birth Financial account information Patient account numbers Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood (publicly investigating) Strauss Borrelli PLLC (publicly investigating) Arnold Law Firm (publicly investigating) Morgan & Morgan (publicly investigating) ClassAction.org-affiliated counsel (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Hunter Health Clinic, the federally qualified health center that has served Wichita, Kansas since 1976 and operates as the only Urban Indian Health Program in the state, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on May 15, 2025, reporting 28,431 affected individuals in a Hacking/IT Incident categorized on the OCR portal as Network Server. Hunter Health’s own notification describes the underlying vector more specifically as unauthorized access to a single employee email account between September 27 and September 30, 2024, with the mailbox review concluding on May 1, 2025. A parallel filing with the Maine Attorney General’s office cited a higher figure of 31,778 individuals, including five Maine residents, which suggests the final affected population may be revised upward as state-by-state reconciliation continues.

Timeline

  • September 27, 2024 — Unauthorized party first accesses an employee email account at Hunter Health, per the entity notice. Files containing protected health information and other personally identifiable information were stored in that mailbox.
  • September 30, 2024 — Hunter Health identifies the unauthorized access, secures the account, and engages third-party cybersecurity specialists to investigate.
  • September 27 to September 30, 2024 — Confirmed window of unauthorized access (a four-day exposure window).
  • May 1, 2025 — Mailbox content review concludes; Hunter Health confirms which data elements were implicated and identifies affected individuals.
  • May 15, 2025 — HHS OCR breach filing: 28,431 affected, Hacking/IT Incident, Network Server. Individual notification letters mailed via U.S. Mail. Twelve months of IDX identity-theft protection offered to recipients whose Social Security numbers were involved. Maine AG filing lists 31,778 individuals.
  • May 16, 2025 — Strauss Borrelli PLLC publicly announces a class-action investigation.
  • May 20, 2025 — Local Wichita television (KWCH, KAKE, KSN) and the Kansas Salina-area press (KSAL) report the notification. Hunter Health establishes a dedicated call center at 1-877-547-9047, open Monday-Friday 8 a.m. to 8 p.m.
  • Late May 2025 — Federman & Sherwood, Arnold Law Firm, Morgan & Morgan, and ClassAction.org-affiliated counsel publicly open investigations.

What was exposed

Per Hunter Health’s notice and parallel reporting, the data elements implicated for at least some affected individuals include:

  • Names
  • Dates of birth
  • Social Security numbers
  • Driver’s license, state ID, and other government identification numbers
  • Financial account information
  • Medical and clinical information
  • Patient account numbers
  • Health insurance information

The clinic notes that “the potentially impacted information varies by individual.” That language ordinarily means recipients should look to their own notification letter for the specific elements implicated for them rather than assume the full set.

A reconciling note on numbers and categorization: the OCR portal entry classifies the location of the breached information as Network Server with an affected count of 28,431, while Hunter Health’s own notification and trade-press coverage describe the underlying vector as a compromised employee email account and the Maine AG filing references 31,778 affected individuals. Both can be accurate. OCR’s categorization fields are coarse, and a mailbox hosted on a network mail server is routinely filed as Network Server. Counts also commonly shift between the initial OCR submission and final state attorney-general filings as forensic review reconciles overlapping records.

Sensitive-population considerations (FQHC + Urban Indian Health Program)

Hunter Health is a federally qualified health center and the only Urban Indian Health Program in Kansas, originally established in 1976 to serve American Indian and Alaska Native residents of Sedgwick County and expanded in 1985 to serve all patients. FQHCs are HRSA-supported safety-net clinics that, by statutory mandate, serve patients regardless of ability to pay. Hunter Health’s target population skews low-income, includes a significant Native American patient base, and includes patients for whom an FQHC may be the only realistic primary-care option. Several consequences follow from that mission profile.

  • The data set in aggregate is unusually damaging. The combination of Social Security number, date of birth, driver’s license number, financial-account information, and health-insurance enrollment status is the canonical identity-theft starter kit. It is materially more damaging for patients with thin credit files, unstable housing, or limited time and resources to dispute fraudulent accounts and tax refunds.
  • The clinic’s patient mix raises stigma and discrimination risk. Hunter Health publicly describes integrated primary care and behavioral health and serves vulnerable populations including patients experiencing homelessness. Disclosure of “medical and clinical information” tied to an identified patient can carry housing, employment, custody, and benefits consequences that a pure-fraud framing understates. Substance-use treatment records held by FQHCs may carry additional 42 CFR Part 2 protections; OCR began enforcing Part 2 under a unified rule in February 2026.
  • Tribal-affiliation implications. Because Hunter Health is the only Urban Indian Health Program in Kansas, a meaningful share of the affected population may be enrolled members of federally recognized tribes. Tribal members have specific identity-rebuilding pathways through tribal enrollment offices that non-Native breach victims do not, and federal IHS-network coordination may apply.

What Hunter Health is offering

Hunter Health is offering eligible affected individuals 12 months of complimentary identity-theft protection services through IDX Monitoring, per HIPAA Journal’s reporting on the notice. The offer is targeted at recipients whose Social Security numbers were involved. The clinic has also stated it has implemented additional security controls following the incident and is operating a dedicated patient call center at 1-877-547-9047 (Monday-Friday, 8 a.m. to 8 p.m. local time) for questions.

Class-action posture

As of this update, no class action has been publicly filed against Hunter Health in U.S. District Court for the District of Kansas or in Sedgwick County District Court. However, multiple plaintiff-side firms have publicly opened investigations and are accepting intake from affected individuals: Strauss Borrelli PLLC, Federman & Sherwood, Arnold Law Firm, Morgan & Morgan, and counsel affiliated with ClassAction.org. The OCR investigation remains open.

The pattern is consistent with prior FQHC breaches of comparable scale: an initial wave of plaintiff-side investigations within weeks of OCR filing, followed by one or more putative class complaints filed in federal court before the one-year mark.

What to do if you may be affected

  • Read your notification letter carefully. It lists the specific data elements involved for you and the activation code for the IDX identity-theft protection offer. The enrollment deadline matters; do not let it lapse.
  • Place a credit freeze with Equifax, Experian, and TransUnion. A freeze is free, separate from credit monitoring, and is the single most effective control against new-account identity theft. It takes roughly ten minutes per bureau and can be lifted temporarily when you need new credit.
  • Request a new driver’s license number from the Kansas Department of Revenue, Division of Vehicles, if your notice confirms your driver’s license number was exposed. Kansas issues new license numbers in confirmed identity-theft cases.
  • File an IRS Identity Protection PIN request at IRS.gov/IPPIN. Tax-refund fraud is one of the most common downstream uses of stolen SSN-plus-DOB combinations and is harder to unwind after a fraudulent return posts.
  • Watch for Hunter Health-themed phishing. After healthcare breaches, threat actors routinely follow up with phishing emails, SMS, and phone calls impersonating the breached entity’s “support team” or “IDX representative.” Hunter Health and IDX will not ask for your Social Security number, password, or one-time codes by email or text. Verify any inbound contact by calling 1-877-547-9047 directly.
  • If you are a behavioral-health or substance-use treatment patient, the medical-treatment disclosure carries discrimination risks beyond financial fraud. Document any adverse housing, employment, or benefits decisions you suspect are linked to disclosure. Substance-use treatment records may carry additional 42 CFR Part 2 protections worth raising with a privacy or healthcare attorney.
  • If you are an enrolled member of a federally recognized tribe, contact your tribal enrollment office about identity-rebuilding pathways and notify the Urban Indian Health Program leadership at Hunter Health directly if your records reflect tribal-affiliation data.
  • Preserve your legal options. Retain the notification letter and envelope. Plaintiff-side investigations are active at multiple firms; if you decide to pursue a claim, the named firms above are accepting intake and Kansas has a multi-year statute of limitations for the typical negligence and consumer-protection theories used in healthcare data-breach litigation.

Sources

We confirm these details directly against the HHS OCR portal record and the cited reporting; this page will be updated if a class action is filed, if the affected count is revised, or if further detail on the underlying intrusion is publicly disclosed.

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.