Active breach tracker Huron, South Dakota Disclosed September 9, 2025

Huron Regional Medical Center Data Breach 2025: 25,398 Affected at Rural 25-Bed South Dakota Critical-Access Hospital After BEAST Ransomware Attack

Huron Regional Medical Center, a 25-bed critical-access hospital in Huron, South Dakota, detected an intrusion on May 31, 2025, completed its file review on August 21, 2025, and began mailing notification letters on September 9, 2025 to 25,398 patients whose names, Social Security numbers, Medicare/Medicaid numbers, diagnoses, lab results, prescription information, and financial account data were exposed. The BEAST ransomware group claimed responsibility and asserted it had exfiltrated 800 GB of HRMC data. Twelve months of complimentary single-bureau credit monitoring is offered through Cyberscout.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 31, 2025

Suspicious activity detected on HRMC's computer network; the BEAST ransomware group later claims it exfiltrated approximately 800 GB of HRMC data on or around this date

May 31, 2025

Hospital detects the intrusion, secures the network, and engages legal counsel and third-party forensic specialists

Jun 6, 2025

HIPAA breach report filed with HHS Office for Civil Rights (25,398 affected, Hacking/IT Incident, location: Network Server)

Aug 21, 2025

Forensic file review concludes; affected individuals and data elements identified. The BEAST ransomware group posts HRMC on its dark-web leak site the same day

Sep 9, 2025

Individual notification letters begin mailing through Cyberscout (a TransUnion company); substitute notice posted; dedicated hotline 833-456-9193 opens; complimentary twelve-month single-bureau credit monitoring, credit report, and credit score services offered

Sep 9, 2025

Disclosed publicly

Sep 11, 2025

Strauss Borrelli PLLC announces a class-action investigation; ClassAction.org's plaintiffs' panel and Join Class Actions open parallel investigations

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Lab results Medical diagnostic images Prescription information Diagnoses and treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Address and phone number Medicare/Medicaid numbers Health insurance information Dates and cost of service Financial account information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Huron Regional Medical Center — a 25-bed nonprofit critical-access hospital in Huron, South Dakota, the fourth-largest employer in Beadle County and the principal hospital for a population of roughly 37,000 across seven counties in eastern-central South Dakota — confirmed that an unauthorized third party accessed its computer network on or around May 31, 2025 and copied files containing sensitive personal and protected health information for 25,398 current and former patients. The intrusion was claimed by the BEAST ransomware group, which publicly asserted it had exfiltrated approximately 800 GB of HRMC data and posted the hospital on its dark-web leak site on August 21, 2025. HRMC filed an initial HIPAA breach report with the U.S. Department of Health and Human Services Office for Civil Rights on June 6, 2025, completed its file review on August 21, 2025, and began mailing individual notification letters on September 9, 2025 through Cyberscout, a TransUnion company. Affected individuals were offered twelve months of complimentary single-bureau credit monitoring, credit report, and credit score services.

The exposure is severe relative to the size of the hospital. HRMC is a 25-bed critical-access facility with roughly 300 employees and 15 active-staff board-certified physicians; an affected count of 25,398 is roughly twice the population of the city of Huron itself, which means the breach reaches across the seven counties HRMC serves and into the rural communities of eastern-central South Dakota that depend on it as the only nearby hospital.

Timeline

  • May 31, 2025 — HRMC detects unusual activity on its computer network, secures the environment the same day, and engages legal counsel and a third-party forensic firm. The BEAST ransomware group later attributes its access to on or around this date.
  • June 6, 2025 — HRMC files an initial HIPAA breach report with HHS OCR. The portal entry lists 25,398 individuals affected, categorized as a Hacking/IT Incident with location Network Server.
  • August 21, 2025 — Forensic and file-review process concludes. HRMC identifies the specific individuals affected and the data elements involved. The same day, the BEAST ransomware group posts HRMC on its dark-web leak site, claiming approximately 800 GB of exfiltrated data.
  • September 9, 2025 — Individual notification letters begin mailing through Cyberscout. A substitute notice is posted on HRMC’s website and a dedicated call center hotline opens at 833-456-9193 (Monday through Friday, 8:00 AM to 8:00 PM Eastern Time). State attorney general notices are filed in jurisdictions with affected residents.
  • September 11, 2025 — Strauss Borrelli PLLC publicly announces a class-action investigation. ClassAction.org’s plaintiffs’-firm panel and Join Class Actions open parallel investigations the same week.

What was exposed

Per HRMC’s substitute notice and the individual notification letters mailed beginning September 9, 2025, the data elements potentially exposed vary by individual but include the following:

  • Full name
  • Address and phone number
  • Date of birth
  • Social Security number
  • Medicare and Medicaid numbers
  • Health insurance information
  • Dates and cost of service
  • Lab results
  • Medical diagnostic images
  • Prescription information
  • Diagnoses and treatment information
  • Financial account information

The combination of name plus Social Security number plus Medicare/Medicaid number plus clinical detail plus financial account information is the full identity-theft and medical-identity-theft package. The inclusion of financial account information is notable: many provider breaches expose clinical and insurance data but not bank-account or payment data, and the presence of financial account data here means affected individuals should also watch for account-takeover attempts in addition to new-account fraud.

Rural South Dakota considerations

Huron sits in Beadle County in eastern-central South Dakota, on the James River, with a city population of roughly 12,000. HRMC is the only hospital in the county and serves a roughly 37,000-person catchment across seven counties — Beadle, Hand, Hyde, Hughes, Jerauld, Sanborn, and Spink — many of which have no hospital of their own and rely on HRMC for inpatient care, emergency services, surgery, maternity, dialysis, and home health.

Notification logistics are harder in rural counties. The standard breach-response playbook — read your letter, log into three credit-bureau websites, enroll in monitoring with an activation code by a deadline — assumes reliable broadband, a personal device, and comfort with online authentication that many rural and older patients do not have. The hospital’s hotline at 833-456-9193 can walk you through your activation code; the three credit bureaus also accept freezes by phone and by mail.

An affected population of 25,398 against a host city of roughly 12,000 means the letter reaches well beyond city limits. Affected patients are scattered across seven counties of eastern-central South Dakota, and a significant share will be receiving the letter at a current address that is an hour or more from Huron itself. The 800 GB of data the BEAST group claims to have exfiltrated is a large enough corpus that, if any portion is published, the inferences possible from name plus diagnosis plus prescription detail in a small-population catchment are sharper than they would be in a metro-area breach.

Medicare and Medicaid populations are disproportionately exposed. A critical-access hospital’s payer mix is heavily weighted toward Medicare and Medicaid, and the breach data set confirms Medicare and Medicaid numbers were among the exposed elements. Affected individuals on these programs face heightened risk of medical-identity theft (someone using their coverage to obtain care or prescriptions) and should pay close attention to their Medicare Summary Notices and Medicaid Explanation of Benefits statements.

What the entity is offering

In its September 9, 2025 notification, Huron Regional Medical Center is offering:

  • Twelve months of complimentary single-bureau credit monitoring, credit report, and credit score services through Cyberscout (a TransUnion company). Enrollment is via the activation code printed in each individual’s notification letter; activation deadlines are printed on the letter.
  • A dedicated toll-free call center at 833-456-9193, Monday through Friday, 8:00 AM to 8:00 PM Eastern Time, for questions about the incident and for help activating the credit-monitoring service.
  • Guidance to use the Federal Trade Commission’s identity-theft resources at ftc.gov, including instructions on placing a credit freeze with the three nationwide consumer reporting agencies.

HRMC has stated it has taken steps to improve its security posture to prevent similar incidents in the future, though the substitute notice does not enumerate the specific controls added. Note that the credit-monitoring offering is single-bureau rather than tri-bureau, which is at the lower end of the range typically offered after a Social Security number plus financial account exposure of this scope.

Class-action posture

As of mid-May 2026, no consolidated class-action complaint has been publicly docketed against Huron Regional Medical Center, Inc. that is identifiable from the plaintiffs’ firms that publicly opened investigations in September 2025. The matter remains in the pre-filing investigation phase across multiple firms.

  • Strauss Borrelli PLLC opened an investigation announcement on September 11, 2025, two days after the notification mailing began. The firm is in the investigative phase, soliciting potential class representatives; no complaint has been filed.
  • ClassAction.org’s plaintiffs’-firm panel opened a public investigation page and is soliciting affected individuals to discuss potential claims.
  • Join Class Actions has also opened a public investigation referral page.

A consolidated class action covering HRMC would most likely be filed in the U.S. District Court for the District of South Dakota (the federal district covering Huron and Beadle County). As of this update, no such case is publicly docketed. A separate, unrelated state-court matter — Olson v. Huron Regional Medical Center, Inc. — has been litigated to the South Dakota Supreme Court but concerns clinical-care allegations and has nothing to do with the cyber incident. This page will be updated if a complaint specific to the data breach is filed and a case number issues.

What to do

If you received a notification letter from Huron Regional Medical Center — whether as a current or former patient — treat this as a high-severity exposure. The combination of name, Social Security number, Medicare/Medicaid number, financial account information, and clinical detail warrants stacking defenses, not relying on the single-bureau monitoring alone.

  1. Freeze your credit at all three bureaus — Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online (or can be done by phone or mail), and blocks new-account fraud. With Social Security numbers in the data set, this is the single highest-leverage step.
  2. Enroll in the complimentary credit monitoring through Cyberscout using the activation code printed in your notification letter. Activation deadlines are typically printed on the letter; do not let it lapse. Note that the offering is single-bureau, so the credit freezes in step 1 cover the other two bureaus.
  3. Call the hospital hotline at 833-456-9193 (Monday through Friday, 8:00 AM to 8:00 PM Eastern Time) if you have not received a letter and believe you should have, or if you need help with the activation code.
  4. Monitor your bank and financial accounts daily for thirty days, then weekly. Financial account information was among the exposed data elements, so affected individuals should watch for unauthorized debits, new account openings under their name, and any unexpected balance changes. Consider setting up account-activity alerts with your bank.
  5. Watch your Medicare Summary Notices and Medicaid Explanation of Benefits statements. With Medicare and Medicaid numbers exposed, you are at heightened risk of medical-identity theft. Any line item you do not recognize should be reported to your insurer and to 1-800-MEDICARE.
  6. Request an IRS Identity Protection PIN (IP PIN). Free at irs.gov/ippin. With an exposed Social Security number, this is the most reliable way to block fraudulent tax filings under your name.
  7. Be skeptical of unsolicited phone, email, or text outreach claiming to be from Huron Regional Medical Center, Cyberscout, TransUnion, “the FTC,” “Medicare,” or your bank. Threat actors routinely follow large breaches with targeted phishing using the leaked identifiers. HRMC and Cyberscout will not ask for your full Social Security number or bank login by phone.
  8. Document everything. If a class action is later filed in the District of South Dakota, evidence of any out-of-pocket losses, time spent on remediation, or downstream identity-theft incidents will matter to a claim.

Sources

One-sentence confirmation: this page synthesizes eight sources, every fact stated above appears in at least two of them, and unsourced detail has been omitted.

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.