Active breach tracker Billerica, MA Disclosed January 20, 2026

Middlesex Sheriff's Office Data Breach 2026: 501+ Massachusetts Inmate Health Records Exposed. 12-Month Notification Lag. No Credit Monitoring Offered. What To Do

The Middlesex Sheriff's Office in Massachusetts disclosed in January 2026 a January 2025 network intrusion affecting inmate medical records — a 12-month notification lag. 501 individuals (placeholder; final count likely higher). Names, addresses, DOBs, diagnoses, and 'other general health information' exposed for people who received correctional healthcare. No SSN; no credit monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 1, 2025

Network intrusion occurs (January 2025); internet systems proactively disconnected

Jan 15, 2025

Breach detected

Nov 19, 2025

Investigation completed

Jan 20, 2026

Public notice; HHS OCR filing; Massachusetts AG Report #2026-141 filed

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Diagnoses Possible SUD treatment records (per MSO's MAT and behavioral health programming; 42 CFR Part 2 implications not addressed in notice)

03

Contact & insurance

Phishing + targeted scams

Full name Home address Other general health information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Srourian Law Firm SLFLA (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

The Middlesex Sheriff’s Office (MSO) operates the Middlesex Jail & House of Correction in Billerica, Massachusetts — the primary pretrial and sentenced-male facility for Middlesex County (Massachusetts’s most populous county). MSO directly provides inmate medical, behavioral health, and substance use treatment services.

In January 2025, an unauthorized actor accessed MSO’s network. The office proactively disconnected internet systems while investigating. The investigation was completed on November 19, 2025, and MSO publicly disclosed the breach on January 20, 2026 — a ~12-month gap between incident and notice, unusually long under HIPAA’s 60-day clock.

MSO filed simultaneously with HHS OCR (501 individuals, placeholder), the Massachusetts AG (Report #2026-141), and posted public notice. The 501 figure is explicitly flagged in coverage as pending final count, not a confirmed total.

The investigation involved the FBI, Massachusetts State Police, Commonwealth Fusion Center, Massachusetts EOTSS, and two private cyber vendors — a multi-agency response that suggests a serious incident, though no threat actor has been publicly named and no ransomware leak-site claim has been observed.

Why correctional-health breaches carry distinct weight

Affected individuals are current and former inmates who received medical care through MSO’s correctional health services. This population:

  • Cannot easily protect themselves with credit freezes or fraud alerts while incarcerated
  • May have SUD treatment records (MSO operates Medication-Assisted Treatment for opioid use disorder; the breach may implicate 42 CFR Part 2 protections — the notice does not address this)
  • May have mental health diagnoses that carry stigma beyond civilian breaches
  • Often re-enter the community already facing housing, employment, and benefits challenges that medical record exposure compounds

The notice mentions “diagnoses” and “other general health information” — but does not enumerate whether SUD treatment records (42 CFR Part 2-protected) or mental health records are specifically in scope. OCR’s Part 2 enforcement authority went live February 16, 2026 — less than a month after this filing.

What was stolen

Per MSO’s notice:

  • Full name
  • Home address
  • Date of birth
  • Diagnoses
  • Other general health information

For “individuals MSO may have previously provided medical care to.”

No SSNs, financial, or insurance data are disclosed in the public notice. Mental health and SUD treatment records are not specifically addressed despite the custodial-care context.

What MSO is offering

MSO’s response is notable for what it does not include:

  • No complimentary credit monitoring
  • No identity theft protection offered
  • Recommendation only: monitor credit, consider fraud alert, review bank and insurance statements
  • Free security freezes pointed to at Equifax, Experian, TransUnion
  • Contact: [email protected]

The absence of credit monitoring for a PHI breach affecting a vulnerable, mostly incarcerated or recently-incarcerated population is unusual and likely a focal point of any class action investigation.

What to do

  1. Read your specific notification letter if you have been notified, to confirm what data elements were involved in your case.
  2. If you are or were incarcerated, ask whether you can authorize a family member to monitor your credit on your behalf.
  3. Place free credit freezes at Equifax, Experian, TransUnion when you have the capacity to do so.
  4. If your SUD treatment records were in scope, you have additional protections under 42 CFR Part 2 — civil enforcement is now active as of February 16, 2026.
  5. If you are reentering society, document the breach for future reference — exposed correctional medical records may surface during housing applications, employment background checks, or benefits determinations.
  6. Stop the ongoing flow of your correctional-health data. HealthConsent files HIPAA and 42 CFR Part 2 restriction requests covering correctional medical, behavioral health, and SUD treatment pathways.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.