Active breach tracker Monticello, Arkansas Disclosed June 23, 2025

Mainline Health Systems Data Breach 2025: 101,104 Patients Exposed at Southeast Arkansas FQHC · Inc Ransom Attack · 14-Month Notification Delay. What To Do

Mainline Health Systems Inc, a federally qualified health center headquartered in Monticello, Arkansas serving Ashley, Bradley, Chicot, Drew, and Lincoln counties, filed a HIPAA breach notification with HHS OCR on June 23, 2025 reporting 101,104 affected individuals after an April 10, 2024 network intrusion claimed by the Inc Ransom ransomware group. Exposed data included Social Security numbers, driver's license numbers, financial account and payment card numbers, Medicaid numbers, diagnoses, prescriptions, and clinical information. Notification letters went out 14 months after the initial compromise. A putative class action, Carter v. Mainline, is pending in the U.S. District Court for the Eastern District of Arkansas.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 10, 2024

Unauthorized actor accessed Mainline Health Systems' network

May 1, 2024

Inc Ransom ransomware group claimed responsibility and leaked stolen files on its Tor leak site

May 21, 2025

File review completed; Mainline determined protected personal information was subject to unauthorized access and acquisition

Jun 20, 2025

Mainline began mailing notification letters to affected individuals and filed notice with state attorneys general

Jun 23, 2025

Breach posted to the HHS OCR public breach portal: Hacking/IT Incident, Network Server, 101,104 affected

Jul 3, 2025

Putative class action Carter v. Mainline Systems, Inc., No. 4:25-cv-665-LPR, filed in the U.S. District Court for the Eastern District of Arkansas

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

02

Health records

Don't expire and can't be reissued

Medical record number Diagnosis and treatment/procedure information Prescription information Clinical information

03

Contact & insurance

Phishing + targeted scams

Full name Financial account numbers and access information Payment card numbers and access information Patient ID Medicaid number Health insurance policy number Health insurance group number Provider name and location

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Bronson Legal LLC (filed Carter v. Mainline, E.D. Ark.) Federman & Sherwood (publicly investigating) Strauss Borrelli PLLC (publicly investigating) Cole & Van Note (publicly investigating) Pittman Dutton Hellums Bradley & Mann (publicly investigating) Schubert Jonckheer & Kolbe (publicly investigating) Lynch Carpenter LLP (publicly investigating) Edelson Lechtzin LLP (publicly investigating) Murphy Law Firm (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Mainline Health Systems Inc, a federally qualified health center (FQHC) headquartered in Monticello, Arkansas, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 23, 2025, reporting 101,104 affected individuals in a Hacking/IT Incident affecting a network server. The Inc Ransom ransomware group claimed responsibility for the underlying April 10, 2024 intrusion and posted Mainline to its Tor leak site in May 2024, but Mainline did not begin mailing individual notification letters until June 20, 2025. Roughly 14 months elapsed between the initial compromise and consumer notice.

Mainline published an official Notice of Data Security Incident on its own website and filed notifications with at least 13 state attorneys general, including Maine (1 resident), Massachusetts (7 residents), and Texas (428 residents) among others (California, Iowa, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Vermont, and Washington).

Timeline

  • April 10, 2024 — Unauthorized actors gained access to Mainline Health Systems’ network, per the company’s notification letter.
  • May 2024 — The Inc Ransom ransomware group claimed responsibility for the attack and added Mainline to its Tor leak site, publishing a sample of stolen files.
  • May 21, 2025 — Mainline completed its file review and determined that protected personal information was subject to unauthorized access and acquisition.
  • June 20, 2025 — Mainline filed notice with state attorneys general (including the Maine AG) and began mailing written notification letters to affected individuals.
  • June 23, 2025 — Breach entered on the HHS OCR public breach portal as a Hacking/IT Incident at a Network Server, listing 101,104 affected individuals.
  • July 3, 2025 — A putative class action, Carter v. Mainline Systems, Inc., No. 4:25-cv-665-LPR, was filed in the U.S. District Court for the Eastern District of Arkansas.

What was exposed

Per Mainline’s official Notice of Data Security Incident (published at mainlinehealth.net and filed with state attorneys general), the data elements involved for at least some individuals included full name plus one or more of the following:

  • Date of birth
  • Social Security number
  • Driver’s license number
  • Financial account numbers and financial account access information
  • Payment card numbers and payment card access information
  • Medical record number and patient ID
  • Medicaid number
  • Health insurance policy number
  • Health insurance group number
  • Medical diagnosis and treatment/procedure information
  • Prescription information
  • Clinical information
  • Provider name and location

Not all data elements were affected for every individual. Mainline stated it is not aware of any confirmed incidents of identity fraud or financial fraud resulting from the incident as of the date of notification.

Inc Ransom is a financially motivated extortion crew active since 2023 whose prior victims include the National Health Service of Scotland and Xerox. The group pairs network intrusion with data theft and pressures victims by publishing samples on a Tor leak site if a ransom is not paid; that is the posture Mainline faced in May 2024.

Sensitive-population considerations (FQHC)

Mainline Health Systems is a nonprofit federally qualified health center serving rural and underserved communities across Ashley, Bradley, Chicot, Cleveland, Desha, Drew, Grant, and Lincoln counties in southeast Arkansas, operating more than 30 clinical locations including school-based clinics. FQHCs are HRSA-supported safety-net providers that, by statutory mandate, serve patients regardless of ability to pay; the patient base skews toward Medicaid beneficiaries, uninsured and underinsured patients, agricultural and rural workers, school-age children, and households with limited financial cushion against identity-theft remediation costs.

The data set involved here is unusually rich for a community-clinic system. It pairs full identity data (SSN, driver’s license, date of birth) with payment card and bank-account information and with clinical diagnoses, prescriptions, and Medicaid identifiers. For affected patients, the practical consequences extend beyond credit fraud to medical-identity fraud, Medicaid benefits fraud, and potential exposure of stigmatized diagnoses. Those harms land harder on patients with thin credit files, limited transportation, and limited time and money to contest fraudulent accounts.

What the entity is offering

Mainline Health Systems is offering 12 months of complimentary credit and CyberScan monitoring through IDX, paired with a $1,000,000 identity-theft insurance reimbursement policy and fully managed identity-theft recovery services. The offer is limited to individuals whose Social Security numbers were involved in the incident, and recipients must enroll using the activation code provided in their individual notification letter before the deadline stated in that letter.

Mainline’s dedicated response line for affected individuals is 1-855-201-4160, available Monday through Friday beginning at 8:00 a.m. (hours per the official notice letter). Individuals who did not receive a letter but believe they may be affected can also contact this number to determine whether their information was included.

Class-action posture

A putative class action has been filed in federal court:

  • Carter v. Mainline Systems, Inc., No. 4:25-cv-665-LPR, U.S. District Court for the Eastern District of Arkansas, filed July 3, 2025. The complaint pleads claims tied to the 14-month gap between intrusion and notice, alleging negligence-based theories.

Multiple plaintiffs’ firms have publicly announced investigations, which typically precedes additional filings and eventual consolidation. Those firms include Federman & Sherwood, Strauss Borrelli PLLC, Cole & Van Note, Pittman Dutton Hellums Bradley & Mann, Schubert Jonckheer & Kolbe, Lynch Carpenter LLP, Edelson Lechtzin LLP, and Murphy Law Firm.

What to do if you may be affected

  • Enroll in the IDX credit-monitoring offer if you received an activation code in your notification letter. The offer expires; do not let it lapse.
  • Freeze your credit with Equifax, Experian, and TransUnion. A freeze blocks new-account fraud and is free to place and lift. With SSNs and driver’s-license numbers in this data set, a freeze is the single highest-leverage control.
  • Watch Medicaid and health-plan EOBs for services you did not receive. Medical-identity fraud is the most likely downstream harm for FQHC patients in this breach. Report suspicious claims to your Medicaid managed-care plan and to the Arkansas Medicaid Inspector General.
  • Review bank and card statements because payment card and financial account numbers were included for some individuals. Replace any card that was on file with the clinic for autopay or copays.
  • Request an IRS Identity Protection PIN at IRS.gov. Tax-refund fraud is one of the most common downstream uses of stolen SSN plus DOB combinations.
  • Watch for Mainline-themed phishing. Threat actors who leak stolen data routinely send follow-on phishing emails and SMS impersonating the breached entity. Mainline will not ask you for your SSN or password by email or text.
  • Preserve your notification letter. It documents the categories of data involved in your individual record, which matters if you later file a claim in the pending class action.
  • Stop the ongoing flow of your community-health data. HealthConsent files HIPAA restriction requests so the diagnosis, prescription, and Medicaid information exposed in this breach is not continuously re-shared with insurers, data brokers, and third-party marketers.

Continue reading

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.