Huron Regional Medical Center Data Breach 2025: 25,398 Affected at Rural 25-Bed South Dakota Critical-Access Hospital After BEAST Ransomware Attack
Huron Regional Medical Center, a 25-bed critical-access hospital in Huron, South Dakota, detected an intrusion on May 31, 2025, completed its file review on August 21, 2025, and began mailing notification letters on September 9, 2025 to 25,398 patients whose names, Social Security numbers, Medicare/Medicaid numbers, diagnoses, lab results, prescription information, and financial account data were exposed. The BEAST ransomware group claimed responsibility and asserted it had exfiltrated 800 GB of HRMC data. Twelve months of complimentary single-bureau credit monitoring is offered through Cyberscout.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
May 31, 2025
Suspicious activity detected on HRMC's computer network; the BEAST ransomware group later claims it exfiltrated approximately 800 GB of HRMC data on or around this date
May 31, 2025
Hospital detects the intrusion, secures the network, and engages legal counsel and third-party forensic specialists
Jun 6, 2025
HIPAA breach report filed with HHS Office for Civil Rights (25,398 affected, Hacking/IT Incident, location: Network Server)
Aug 21, 2025
Forensic file review concludes; affected individuals and data elements identified. The BEAST ransomware group posts HRMC on its dark-web leak site the same day
Sep 9, 2025
Individual notification letters begin mailing through Cyberscout (a TransUnion company); substitute notice posted; dedicated hotline 833-456-9193 opens; complimentary twelve-month single-bureau credit monitoring, credit report, and credit score services offered
Sep 9, 2025
Disclosed publicly
Sep 11, 2025
Strauss Borrelli PLLC announces a class-action investigation; ClassAction.org's plaintiffs' panel and Join Class Actions open parallel investigations
May 31, 2025
Suspicious activity detected on HRMC's computer network; the BEAST ransomware group later claims it exfiltrated approximately 800 GB of HRMC data on or around this date
May 31, 2025
Hospital detects the intrusion, secures the network, and engages legal counsel and third-party forensic specialists
Jun 6, 2025
HIPAA breach report filed with HHS Office for Civil Rights (25,398 affected, Hacking/IT Incident, location: Network Server)
Aug 21, 2025
Forensic file review concludes; affected individuals and data elements identified. The BEAST ransomware group posts HRMC on its dark-web leak site the same day
Sep 9, 2025
Individual notification letters begin mailing through Cyberscout (a TransUnion company); substitute notice posted; dedicated hotline 833-456-9193 opens; complimentary twelve-month single-bureau credit monitoring, credit report, and credit score services offered
Sep 9, 2025
Disclosed publicly
Sep 11, 2025
Strauss Borrelli PLLC announces a class-action investigation; ClassAction.org's plaintiffs' panel and Join Class Actions open parallel investigations
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Huron Regional Medical Center — a 25-bed nonprofit critical-access hospital in Huron, South Dakota, the fourth-largest employer in Beadle County and the principal hospital for a population of roughly 37,000 across seven counties in eastern-central South Dakota — confirmed that an unauthorized third party accessed its computer network on or around May 31, 2025 and copied files containing sensitive personal and protected health information for 25,398 current and former patients. The intrusion was claimed by the BEAST ransomware group, which publicly asserted it had exfiltrated approximately 800 GB of HRMC data and posted the hospital on its dark-web leak site on August 21, 2025. HRMC filed an initial HIPAA breach report with the U.S. Department of Health and Human Services Office for Civil Rights on June 6, 2025, completed its file review on August 21, 2025, and began mailing individual notification letters on September 9, 2025 through Cyberscout, a TransUnion company. Affected individuals were offered twelve months of complimentary single-bureau credit monitoring, credit report, and credit score services.
The exposure is severe relative to the size of the hospital. HRMC is a 25-bed critical-access facility with roughly 300 employees and 15 active-staff board-certified physicians; an affected count of 25,398 is roughly twice the population of the city of Huron itself, which means the breach reaches across the seven counties HRMC serves and into the rural communities of eastern-central South Dakota that depend on it as the only nearby hospital.
Timeline
- May 31, 2025 — HRMC detects unusual activity on its computer network, secures the environment the same day, and engages legal counsel and a third-party forensic firm. The BEAST ransomware group later attributes its access to on or around this date.
- June 6, 2025 — HRMC files an initial HIPAA breach report with HHS OCR. The portal entry lists 25,398 individuals affected, categorized as a Hacking/IT Incident with location Network Server.
- August 21, 2025 — Forensic and file-review process concludes. HRMC identifies the specific individuals affected and the data elements involved. The same day, the BEAST ransomware group posts HRMC on its dark-web leak site, claiming approximately 800 GB of exfiltrated data.
- September 9, 2025 — Individual notification letters begin mailing through Cyberscout. A substitute notice is posted on HRMC’s website and a dedicated call center hotline opens at 833-456-9193 (Monday through Friday, 8:00 AM to 8:00 PM Eastern Time). State attorney general notices are filed in jurisdictions with affected residents.
- September 11, 2025 — Strauss Borrelli PLLC publicly announces a class-action investigation. ClassAction.org’s plaintiffs’-firm panel and Join Class Actions open parallel investigations the same week.
What was exposed
Per HRMC’s substitute notice and the individual notification letters mailed beginning September 9, 2025, the data elements potentially exposed vary by individual but include the following:
- Full name
- Address and phone number
- Date of birth
- Social Security number
- Medicare and Medicaid numbers
- Health insurance information
- Dates and cost of service
- Lab results
- Medical diagnostic images
- Prescription information
- Diagnoses and treatment information
- Financial account information
The combination of name plus Social Security number plus Medicare/Medicaid number plus clinical detail plus financial account information is the full identity-theft and medical-identity-theft package. The inclusion of financial account information is notable: many provider breaches expose clinical and insurance data but not bank-account or payment data, and the presence of financial account data here means affected individuals should also watch for account-takeover attempts in addition to new-account fraud.
Rural South Dakota considerations
Huron sits in Beadle County in eastern-central South Dakota, on the James River, with a city population of roughly 12,000. HRMC is the only hospital in the county and serves a roughly 37,000-person catchment across seven counties — Beadle, Hand, Hyde, Hughes, Jerauld, Sanborn, and Spink — many of which have no hospital of their own and rely on HRMC for inpatient care, emergency services, surgery, maternity, dialysis, and home health.
Notification logistics are harder in rural counties. The standard breach-response playbook — read your letter, log into three credit-bureau websites, enroll in monitoring with an activation code by a deadline — assumes reliable broadband, a personal device, and comfort with online authentication that many rural and older patients do not have. The hospital’s hotline at 833-456-9193 can walk you through your activation code; the three credit bureaus also accept freezes by phone and by mail.
An affected population of 25,398 against a host city of roughly 12,000 means the letter reaches well beyond city limits. Affected patients are scattered across seven counties of eastern-central South Dakota, and a significant share will be receiving the letter at a current address that is an hour or more from Huron itself. The 800 GB of data the BEAST group claims to have exfiltrated is a large enough corpus that, if any portion is published, the inferences possible from name plus diagnosis plus prescription detail in a small-population catchment are sharper than they would be in a metro-area breach.
Medicare and Medicaid populations are disproportionately exposed. A critical-access hospital’s payer mix is heavily weighted toward Medicare and Medicaid, and the breach data set confirms Medicare and Medicaid numbers were among the exposed elements. Affected individuals on these programs face heightened risk of medical-identity theft (someone using their coverage to obtain care or prescriptions) and should pay close attention to their Medicare Summary Notices and Medicaid Explanation of Benefits statements.
What the entity is offering
In its September 9, 2025 notification, Huron Regional Medical Center is offering:
- Twelve months of complimentary single-bureau credit monitoring, credit report, and credit score services through Cyberscout (a TransUnion company). Enrollment is via the activation code printed in each individual’s notification letter; activation deadlines are printed on the letter.
- A dedicated toll-free call center at 833-456-9193, Monday through Friday, 8:00 AM to 8:00 PM Eastern Time, for questions about the incident and for help activating the credit-monitoring service.
- Guidance to use the Federal Trade Commission’s identity-theft resources at ftc.gov, including instructions on placing a credit freeze with the three nationwide consumer reporting agencies.
HRMC has stated it has taken steps to improve its security posture to prevent similar incidents in the future, though the substitute notice does not enumerate the specific controls added. Note that the credit-monitoring offering is single-bureau rather than tri-bureau, which is at the lower end of the range typically offered after a Social Security number plus financial account exposure of this scope.
Class-action posture
As of mid-May 2026, no consolidated class-action complaint has been publicly docketed against Huron Regional Medical Center, Inc. that is identifiable from the plaintiffs’ firms that publicly opened investigations in September 2025. The matter remains in the pre-filing investigation phase across multiple firms.
- Strauss Borrelli PLLC opened an investigation announcement on September 11, 2025, two days after the notification mailing began. The firm is in the investigative phase, soliciting potential class representatives; no complaint has been filed.
- ClassAction.org’s plaintiffs’-firm panel opened a public investigation page and is soliciting affected individuals to discuss potential claims.
- Join Class Actions has also opened a public investigation referral page.
A consolidated class action covering HRMC would most likely be filed in the U.S. District Court for the District of South Dakota (the federal district covering Huron and Beadle County). As of this update, no such case is publicly docketed. A separate, unrelated state-court matter — Olson v. Huron Regional Medical Center, Inc. — has been litigated to the South Dakota Supreme Court but concerns clinical-care allegations and has nothing to do with the cyber incident. This page will be updated if a complaint specific to the data breach is filed and a case number issues.
What to do
If you received a notification letter from Huron Regional Medical Center — whether as a current or former patient — treat this as a high-severity exposure. The combination of name, Social Security number, Medicare/Medicaid number, financial account information, and clinical detail warrants stacking defenses, not relying on the single-bureau monitoring alone.
- Freeze your credit at all three bureaus — Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online (or can be done by phone or mail), and blocks new-account fraud. With Social Security numbers in the data set, this is the single highest-leverage step.
- Enroll in the complimentary credit monitoring through Cyberscout using the activation code printed in your notification letter. Activation deadlines are typically printed on the letter; do not let it lapse. Note that the offering is single-bureau, so the credit freezes in step 1 cover the other two bureaus.
- Call the hospital hotline at 833-456-9193 (Monday through Friday, 8:00 AM to 8:00 PM Eastern Time) if you have not received a letter and believe you should have, or if you need help with the activation code.
- Monitor your bank and financial accounts daily for thirty days, then weekly. Financial account information was among the exposed data elements, so affected individuals should watch for unauthorized debits, new account openings under their name, and any unexpected balance changes. Consider setting up account-activity alerts with your bank.
- Watch your Medicare Summary Notices and Medicaid Explanation of Benefits statements. With Medicare and Medicaid numbers exposed, you are at heightened risk of medical-identity theft. Any line item you do not recognize should be reported to your insurer and to 1-800-MEDICARE.
- Request an IRS Identity Protection PIN (IP PIN). Free at irs.gov/ippin. With an exposed Social Security number, this is the most reliable way to block fraudulent tax filings under your name.
- Be skeptical of unsolicited phone, email, or text outreach claiming to be from Huron Regional Medical Center, Cyberscout, TransUnion, “the FTC,” “Medicare,” or your bank. Threat actors routinely follow large breaches with targeted phishing using the leaked identifiers. HRMC and Cyberscout will not ask for your full Social Security number or bank login by phone.
- Document everything. If a class action is later filed in the District of South Dakota, evidence of any out-of-pocket losses, time spent on remediation, or downstream identity-theft incidents will matter to a claim.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (25,398 affected, Hacking/IT Incident, location: Network Server, reported June 6, 2025).
- ClassAction.org — Huron Regional Medical Center Data Breach Exposes Patient Info — detailed timeline (May 31, 2025 detection, August 21, 2025 file-review conclusion, September 9, 2025 notification start), full data-element list, and BEAST ransomware attribution including the 800 GB exfiltration claim.
- ClaimDepot — Huron Regional Medical Center Data Breach Exposes SSNs — independent confirmation of the call center number (833-456-9193), hours of operation, Cyberscout vendor relationship, twelve-month credit-monitoring offering, and the data-element list including Social Security numbers and financial account information.
- Strauss Borrelli PLLC — Huron Regional Medical Center Data Breach Investigation — plaintiffs’-firm investigation announcement dated September 11, 2025; confirms May 31, 2025 detection, August 21, 2025 review completion, and September 9, 2025 notification mailing.
- HookPhish — Ransomware Group BEAST Hits Huron Regional Medical Center — threat-intelligence confirmation of BEAST attribution and the August 21, 2025 dark-web leak-site post.
- DeXpose — BEAST Ransomware Targets Huron Regional Medical Center — independent confirmation of BEAST attribution and the 800 GB exfiltration claim.
- Rankiteo — Huron Regional Medical Center (HRMC) Ransomware September 2025 — cybersecurity risk profile and incident summary cross-referencing the BEAST attribution.
- Huron Regional Medical Center — Key Facts and Stats — entity confirmation of the 25-bed critical-access designation, seven-county catchment, and population served.
One-sentence confirmation: this page synthesizes eight sources, every fact stated above appears in at least two of them, and unsourced detail has been omitted.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- ClassAction.org — Huron Regional Medical Center Data Breach Exposes Patient Info
- ClaimDepot — Huron Regional Medical Center Data Breach Exposes SSNs
- Strauss Borrelli PLLC — Huron Regional Medical Center Data Breach Investigation
- HookPhish — Ransomware Group BEAST Hits Huron Regional Medical Center
- DeXpose — BEAST Ransomware Targets Huron Regional Medical Center
- Rankiteo — Huron Regional Medical Center (HRMC) Ransomware September 2025
- Huron Regional Medical Center — Key Facts and Stats
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.