Mount Rogers Community Services Data Breach 2025: 38,191 SW Virginia Behavioral Health, IDD & SUD Patients and Staff Exposed in INC Ransom Attack. What To Do
Mount Rogers Community Services Board (Wytheville, VA), a southwest Virginia community services board providing behavioral health, intellectual and developmental disability, and substance use disorder services, disclosed on June 13, 2025 a late-April 2025 ransomware intrusion (April 27–29) affecting 38,191 patients and employees. The INC Ransom gang claimed responsibility on its leak site on June 10, 2025. Exposed data includes names, Social Security numbers, dates of birth, diagnoses, medications, and treatment information. Kroll identity monitoring offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Apr 27, 2025
Initial unauthorized access to Mount Rogers' computer systems begins
Apr 29, 2025
Mount Rogers discovers the ransomware incident; outside cybersecurity experts engaged
Jun 10, 2025
INC Ransom gang publicly claims the attack on its dark-web leak site
Jun 13, 2025
Mount Rogers mails consumer notification letters; files notice with Massachusetts AG; publishes Notice of Cyber Incident on mountrogers.org
Jun 13, 2025
Disclosed publicly
Jun 16, 2025
Filed with Vermont Attorney General
Apr 27, 2025
Initial unauthorized access to Mount Rogers' computer systems begins
Apr 29, 2025
Mount Rogers discovers the ransomware incident; outside cybersecurity experts engaged
Jun 10, 2025
INC Ransom gang publicly claims the attack on its dark-web leak site
Jun 13, 2025
Mount Rogers mails consumer notification letters; files notice with Massachusetts AG; publishes Notice of Cyber Incident on mountrogers.org
Jun 13, 2025
Disclosed publicly
Jun 16, 2025
Filed with Vermont Attorney General
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Mount Rogers Community Services Board, a not-for-profit community services board that has served southwest Virginia since 1972 from offices in Wytheville, confirmed in a notice posted to its website and in state attorney general filings that an INC Ransom ransomware intrusion between April 27 and April 29, 2025 exposed sensitive records for 38,191 patients and employees. Mount Rogers provides behavioral health care, services for individuals with intellectual and developmental disabilities, and substance use disorder treatment — which makes the population, not just the headcount, the story here.
Timeline
- April 27, 2025 — initial unauthorized access to Mount Rogers’ network begins, according to the entity’s notice.
- April 29, 2025 — Mount Rogers discovers the intrusion, takes steps to stop the ransomware, and engages outside cybersecurity experts.
- June 10, 2025 — the INC Ransom ransomware gang publicly claims responsibility on its dark-web leak site, posting sample document images as proof. Mount Rogers has not publicly verified the gang’s claim.
- June 13, 2025 — Mount Rogers mails consumer notification letters, publishes a Notice of Cyber Incident on mountrogers.org, and files notice with the Massachusetts Attorney General.
- June 16, 2025 — Mount Rogers files with the Vermont Attorney General; the Vermont AG posts the consumer notice to its breach portal.
What was exposed
Per Mount Rogers’ Notice of Cyber Incident and the Vermont AG consumer notice, the data set obtained from Mount Rogers’ computer systems included, depending on the individual:
For patients:
- Full name, address, ZIP code, and date of birth
- Social Security number
- Diagnoses / conditions, medications, dates of service, and other treatment information
- Health insurance and claims information
For employees (and in some cases their dependents):
- Name, address, date of birth
- Social Security number and driver’s license number
- Medical information collected for employment purposes
- Benefits enrollment information and health insurance numbers
Sensitive-population considerations (behavioral health + SUD — 42 CFR Part 2 likely applies)
Mount Rogers is a Virginia community services board. Its service lines include behavioral / mental health care, intellectual and developmental disability supports, and substance use disorder treatment. For the SUD population, treatment records are generally covered by 42 CFR Part 2 in addition to HIPAA. Part 2 imposes stricter consent and re-disclosure requirements than HIPAA, and HHS OCR began enforcing a unified HIPAA/Part 2 rule effective February 16, 2026 — which means unauthorized exfiltration and posting of SUD treatment records is now squarely within OCR’s enforcement lane.
Mount Rogers’ public notice does not invoke Part 2 by name. It also does not separately enumerate behavioral-health or SUD diagnoses inside the affected data set, instead describing the exposure generically as “diagnosis/conditions, medications, dates of service, or other treatment information.” For patients who received care through Mount Rogers’ SUD or behavioral-health programs, that language almost certainly covers the most sensitive parts of their record.
Class-action posture
As of this writing, no class-action complaint against Mount Rogers Community Services has been publicly indexed in the U.S. District Court for the Western District of Virginia in the open sources reviewed, and no plaintiff firm has publicly announced an investigation in the sources reviewed. INC Ransom’s posting of sample documents on its leak site — the kind of public exfiltration evidence that typically triggers plaintiff-firm interest — is documented in trade press (Cybernews, SC Media), so this page will be updated if filings appear.
What to do
- Read the letter. If you or a family member received services from Mount Rogers, watch for a letter mailed on or around June 13, 2025. It contains your enrollment code for free credit and identity monitoring through Kroll. If you believe you were affected but did not receive a letter, Mount Rogers directs you to email [email protected].
- Enroll in the offered Kroll monitoring. Full SSN is in scope for both patients and employees.
- Place free credit freezes at Equifax, Experian, and TransUnion. About ten minutes per bureau, and the single highest-leverage step against new-account identity theft.
- File IRS Form 14039 if you see signs of tax-refund fraud or receive an unexpected IRS notice. SSNs exposed alongside dates of birth are the exact ingredients for fraudulent tax filings.
- If your SUD or behavioral-health record was in the exfiltrated set, document any unauthorized re-disclosure you encounter. Under 42 CFR Part 2, you have stronger remedies for re-disclosure of SUD records than HIPAA alone provides.
- Stop the ongoing flow of your most sensitive treatment data. HealthConsent files HIPAA and 42 CFR Part 2 restriction requests so behavioral-health and SUD records exposed in incidents like this are not continuously re-shared downstream.
Sources
- Mount Rogers Community Services — Notice of Cyber Incident — the entity’s own public notice; timeline, data categories, and Kroll monitoring contact.
- Vermont Attorney General — Mount Rogers consumer notice (June 13, 2025) — state-AG-hosted copy of the consumer notification letter.
- Comparitech — Virginia community service org notifies 38K patients and staff of data breach — confirms the 38,191 headcount and breakdown of patient vs. employee data fields.
- Cybernews — Virginia mental health clinic targeted in ransomware attack — INC Ransom attribution and leak-site posting.
- SC Media — Mount Rogers Community Services purportedly hit by INC Ransom gang — independent confirmation of INC Ransom claim of responsibility.
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Mount Rogers Community Services: Notice of Cyber Incident
- Vermont AG: Mount Rogers Data Breach Notice to Consumers (2025-06-13)
- Comparitech: Virginia community service org notifies 38K of data breach
- Cybernews: Virginia mental health clinic targeted in ransomware attack
- SC Media: Mount Rogers Community Services purportedly hit by INC Ransom gang
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.