Mainline Health Systems Data Breach 2025: 101,104 Patients Exposed at Southeast Arkansas FQHC · Inc Ransom Attack · 14-Month Notification Delay. What To Do
Mainline Health Systems Inc, a federally qualified health center headquartered in Monticello, Arkansas serving Ashley, Bradley, Chicot, Drew, and Lincoln counties, filed a HIPAA breach notification with HHS OCR on June 23, 2025 reporting 101,104 affected individuals after an April 10, 2024 network intrusion claimed by the Inc Ransom ransomware group. Exposed data included Social Security numbers, driver's license numbers, financial account and payment card numbers, Medicaid numbers, diagnoses, prescriptions, and clinical information. Notification letters went out 14 months after the initial compromise. A putative class action, Carter v. Mainline, is pending in the U.S. District Court for the Eastern District of Arkansas.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Apr 10, 2024
Unauthorized actor accessed Mainline Health Systems' network
May 1, 2024
Inc Ransom ransomware group claimed responsibility and leaked stolen files on its Tor leak site
May 21, 2025
File review completed; Mainline determined protected personal information was subject to unauthorized access and acquisition
Jun 20, 2025
Mainline began mailing notification letters to affected individuals and filed notice with state attorneys general
Jun 23, 2025
Breach posted to the HHS OCR public breach portal: Hacking/IT Incident, Network Server, 101,104 affected
Jul 3, 2025
Putative class action Carter v. Mainline Systems, Inc., No. 4:25-cv-665-LPR, filed in the U.S. District Court for the Eastern District of Arkansas
Apr 10, 2024
Unauthorized actor accessed Mainline Health Systems' network
May 1, 2024
Inc Ransom ransomware group claimed responsibility and leaked stolen files on its Tor leak site
May 21, 2025
File review completed; Mainline determined protected personal information was subject to unauthorized access and acquisition
Jun 20, 2025
Mainline began mailing notification letters to affected individuals and filed notice with state attorneys general
Jun 23, 2025
Breach posted to the HHS OCR public breach portal: Hacking/IT Incident, Network Server, 101,104 affected
Jul 3, 2025
Putative class action Carter v. Mainline Systems, Inc., No. 4:25-cv-665-LPR, filed in the U.S. District Court for the Eastern District of Arkansas
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Mainline Health Systems Inc, a federally qualified health center (FQHC) headquartered in Monticello, Arkansas, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 23, 2025, reporting 101,104 affected individuals in a Hacking/IT Incident affecting a network server. The Inc Ransom ransomware group claimed responsibility for the underlying April 10, 2024 intrusion and posted Mainline to its Tor leak site in May 2024, but Mainline did not begin mailing individual notification letters until June 20, 2025. Roughly 14 months elapsed between the initial compromise and consumer notice.
Mainline published an official Notice of Data Security Incident on its own website and filed notifications with at least 13 state attorneys general, including Maine (1 resident), Massachusetts (7 residents), and Texas (428 residents) among others (California, Iowa, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Vermont, and Washington).
Timeline
- April 10, 2024 — Unauthorized actors gained access to Mainline Health Systems’ network, per the company’s notification letter.
- May 2024 — The Inc Ransom ransomware group claimed responsibility for the attack and added Mainline to its Tor leak site, publishing a sample of stolen files.
- May 21, 2025 — Mainline completed its file review and determined that protected personal information was subject to unauthorized access and acquisition.
- June 20, 2025 — Mainline filed notice with state attorneys general (including the Maine AG) and began mailing written notification letters to affected individuals.
- June 23, 2025 — Breach entered on the HHS OCR public breach portal as a Hacking/IT Incident at a Network Server, listing 101,104 affected individuals.
- July 3, 2025 — A putative class action, Carter v. Mainline Systems, Inc., No. 4:25-cv-665-LPR, was filed in the U.S. District Court for the Eastern District of Arkansas.
What was exposed
Per Mainline’s official Notice of Data Security Incident (published at mainlinehealth.net and filed with state attorneys general), the data elements involved for at least some individuals included full name plus one or more of the following:
- Date of birth
- Social Security number
- Driver’s license number
- Financial account numbers and financial account access information
- Payment card numbers and payment card access information
- Medical record number and patient ID
- Medicaid number
- Health insurance policy number
- Health insurance group number
- Medical diagnosis and treatment/procedure information
- Prescription information
- Clinical information
- Provider name and location
Not all data elements were affected for every individual. Mainline stated it is not aware of any confirmed incidents of identity fraud or financial fraud resulting from the incident as of the date of notification.
Inc Ransom is a financially motivated extortion crew active since 2023 whose prior victims include the National Health Service of Scotland and Xerox. The group pairs network intrusion with data theft and pressures victims by publishing samples on a Tor leak site if a ransom is not paid; that is the posture Mainline faced in May 2024.
Sensitive-population considerations (FQHC)
Mainline Health Systems is a nonprofit federally qualified health center serving rural and underserved communities across Ashley, Bradley, Chicot, Cleveland, Desha, Drew, Grant, and Lincoln counties in southeast Arkansas, operating more than 30 clinical locations including school-based clinics. FQHCs are HRSA-supported safety-net providers that, by statutory mandate, serve patients regardless of ability to pay; the patient base skews toward Medicaid beneficiaries, uninsured and underinsured patients, agricultural and rural workers, school-age children, and households with limited financial cushion against identity-theft remediation costs.
The data set involved here is unusually rich for a community-clinic system. It pairs full identity data (SSN, driver’s license, date of birth) with payment card and bank-account information and with clinical diagnoses, prescriptions, and Medicaid identifiers. For affected patients, the practical consequences extend beyond credit fraud to medical-identity fraud, Medicaid benefits fraud, and potential exposure of stigmatized diagnoses. Those harms land harder on patients with thin credit files, limited transportation, and limited time and money to contest fraudulent accounts.
What the entity is offering
Mainline Health Systems is offering 12 months of complimentary credit and CyberScan monitoring through IDX, paired with a $1,000,000 identity-theft insurance reimbursement policy and fully managed identity-theft recovery services. The offer is limited to individuals whose Social Security numbers were involved in the incident, and recipients must enroll using the activation code provided in their individual notification letter before the deadline stated in that letter.
Mainline’s dedicated response line for affected individuals is 1-855-201-4160, available Monday through Friday beginning at 8:00 a.m. (hours per the official notice letter). Individuals who did not receive a letter but believe they may be affected can also contact this number to determine whether their information was included.
Class-action posture
A putative class action has been filed in federal court:
- Carter v. Mainline Systems, Inc., No. 4:25-cv-665-LPR, U.S. District Court for the Eastern District of Arkansas, filed July 3, 2025. The complaint pleads claims tied to the 14-month gap between intrusion and notice, alleging negligence-based theories.
Multiple plaintiffs’ firms have publicly announced investigations, which typically precedes additional filings and eventual consolidation. Those firms include Federman & Sherwood, Strauss Borrelli PLLC, Cole & Van Note, Pittman Dutton Hellums Bradley & Mann, Schubert Jonckheer & Kolbe, Lynch Carpenter LLP, Edelson Lechtzin LLP, and Murphy Law Firm.
What to do if you may be affected
- Enroll in the IDX credit-monitoring offer if you received an activation code in your notification letter. The offer expires; do not let it lapse.
- Freeze your credit with Equifax, Experian, and TransUnion. A freeze blocks new-account fraud and is free to place and lift. With SSNs and driver’s-license numbers in this data set, a freeze is the single highest-leverage control.
- Watch Medicaid and health-plan EOBs for services you did not receive. Medical-identity fraud is the most likely downstream harm for FQHC patients in this breach. Report suspicious claims to your Medicaid managed-care plan and to the Arkansas Medicaid Inspector General.
- Review bank and card statements because payment card and financial account numbers were included for some individuals. Replace any card that was on file with the clinic for autopay or copays.
- Request an IRS Identity Protection PIN at IRS.gov. Tax-refund fraud is one of the most common downstream uses of stolen SSN plus DOB combinations.
- Watch for Mainline-themed phishing. Threat actors who leak stolen data routinely send follow-on phishing emails and SMS impersonating the breached entity. Mainline will not ask you for your SSN or password by email or text.
- Preserve your notification letter. It documents the categories of data involved in your individual record, which matters if you later file a claim in the pending class action.
- Stop the ongoing flow of your community-health data. HealthConsent files HIPAA restriction requests so the diagnosis, prescription, and Medicaid information exposed in this breach is not continuously re-shared with insurers, data brokers, and third-party marketers.
Continue reading
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (June 23, 2025 filing, 101,104 affected, Hacking/IT Incident at Network Server, covered entity Mainline Health Systems Inc, Arkansas, Healthcare Provider).
- Mainline Health Systems — Official Data Security Incident Notice (PDF) — authoritative source for confirmed PHI categories, IDX monitoring offer details, and call center number (1-855-201-4160).
- Mainline Health Systems (entity website) — confirms Monticello, Arkansas headquarters, southeast Arkansas service area, and services including behavioral health, dental, school-based clinics, and medication-assisted treatment.
- HIPAA Journal — Mainline Health Systems Reports 101,000-Record Data Breach — confirmed data elements, IDX monitoring offer details, and 14-month notification gap timeline.
- SecurityWeek — Mainline Health, Select Medical Each Disclose Data Breaches Impacting 100,000 People — Inc Ransom attribution and May 2024 Tor leak-site activity.
- Security Affairs — Mainline Health Systems disclosed a data breach — independent corroboration of Inc Ransom Tor leak-site listing and federal law-enforcement notification.
- Paubox — Mainline Health Systems breach exposes 100K records in ransomware attack — independent corroboration of INC RANSOM attribution; notes broader healthcare-sector campaign.
- Cybernews — Over 100K exposed in Arkansas health system hack — independent corroboration of incident scope and FQHC context.
- ClaimDepot — Mainline Health Data Breach Impacts 101,104 Patients — multi-state AG filing summary: Maine (1 resident), Massachusetts (7 residents), Texas (428 residents) and 10 additional state AG disclosures.
- ClassAction.org — Mainline Health Systems Data Breach Lawsuit Investigation — eight-county service area; plaintiff-side investigation completed.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Mainline Health Systems — Official Data Security Incident Notice (PDF)
- Mainline Health Systems (entity website)
- HIPAA Journal — Mainline Health Systems Reports 101,000-Record Data Breach
- SecurityWeek — Mainline Health, Select Medical Each Disclose Data Breaches Impacting 100,000 People
- Security Affairs — Mainline Health Systems disclosed a data breach (Inc Ransom attribution; Tor leak-site listing)
- Paubox — Mainline Health Systems breach exposes 100K records in ransomware attack
- Cybernews — Over 100K exposed in Arkansas health system hack
- ClaimDepot — Mainline Health Data Breach Impacts 101,104 Patients (multi-state AG filing summary)
- ClassAction.org — Mainline Health Systems Data Breach Lawsuit Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.