Active breach tracker Wytheville, Virginia Disclosed June 13, 2025

Mount Rogers Community Services Data Breach 2025: 38,191 SW Virginia Behavioral Health, IDD & SUD Patients and Staff Exposed in INC Ransom Attack. What To Do

Mount Rogers Community Services Board (Wytheville, VA), a southwest Virginia community services board providing behavioral health, intellectual and developmental disability, and substance use disorder services, disclosed on June 13, 2025 a late-April 2025 ransomware intrusion (April 27–29) affecting 38,191 patients and employees. The INC Ransom gang claimed responsibility on its leak site on June 10, 2025. Exposed data includes names, Social Security numbers, dates of birth, diagnoses, medications, and treatment information. Kroll identity monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 27, 2025

Initial unauthorized access to Mount Rogers' computer systems begins

Apr 29, 2025

Mount Rogers discovers the ransomware incident; outside cybersecurity experts engaged

Jun 10, 2025

INC Ransom gang publicly claims the attack on its dark-web leak site

Jun 13, 2025

Mount Rogers mails consumer notification letters; files notice with Massachusetts AG; publishes Notice of Cyber Incident on mountrogers.org

Jun 13, 2025

Disclosed publicly

Jun 16, 2025

Filed with Vermont Attorney General

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number (employees)

02

Health records

Don't expire and can't be reissued

Diagnosis / conditions Medications Dates of service and other treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Address and ZIP code Health insurance and claims information Medical information for employment purposes (employees) Benefits enrollment information (employees)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Mount Rogers Community Services Board, a not-for-profit community services board that has served southwest Virginia since 1972 from offices in Wytheville, confirmed in a notice posted to its website and in state attorney general filings that an INC Ransom ransomware intrusion between April 27 and April 29, 2025 exposed sensitive records for 38,191 patients and employees. Mount Rogers provides behavioral health care, services for individuals with intellectual and developmental disabilities, and substance use disorder treatment — which makes the population, not just the headcount, the story here.

Timeline

  • April 27, 2025 — initial unauthorized access to Mount Rogers’ network begins, according to the entity’s notice.
  • April 29, 2025 — Mount Rogers discovers the intrusion, takes steps to stop the ransomware, and engages outside cybersecurity experts.
  • June 10, 2025 — the INC Ransom ransomware gang publicly claims responsibility on its dark-web leak site, posting sample document images as proof. Mount Rogers has not publicly verified the gang’s claim.
  • June 13, 2025 — Mount Rogers mails consumer notification letters, publishes a Notice of Cyber Incident on mountrogers.org, and files notice with the Massachusetts Attorney General.
  • June 16, 2025 — Mount Rogers files with the Vermont Attorney General; the Vermont AG posts the consumer notice to its breach portal.

What was exposed

Per Mount Rogers’ Notice of Cyber Incident and the Vermont AG consumer notice, the data set obtained from Mount Rogers’ computer systems included, depending on the individual:

For patients:

  • Full name, address, ZIP code, and date of birth
  • Social Security number
  • Diagnoses / conditions, medications, dates of service, and other treatment information
  • Health insurance and claims information

For employees (and in some cases their dependents):

  • Name, address, date of birth
  • Social Security number and driver’s license number
  • Medical information collected for employment purposes
  • Benefits enrollment information and health insurance numbers

Sensitive-population considerations (behavioral health + SUD — 42 CFR Part 2 likely applies)

Mount Rogers is a Virginia community services board. Its service lines include behavioral / mental health care, intellectual and developmental disability supports, and substance use disorder treatment. For the SUD population, treatment records are generally covered by 42 CFR Part 2 in addition to HIPAA. Part 2 imposes stricter consent and re-disclosure requirements than HIPAA, and HHS OCR began enforcing a unified HIPAA/Part 2 rule effective February 16, 2026 — which means unauthorized exfiltration and posting of SUD treatment records is now squarely within OCR’s enforcement lane.

Mount Rogers’ public notice does not invoke Part 2 by name. It also does not separately enumerate behavioral-health or SUD diagnoses inside the affected data set, instead describing the exposure generically as “diagnosis/conditions, medications, dates of service, or other treatment information.” For patients who received care through Mount Rogers’ SUD or behavioral-health programs, that language almost certainly covers the most sensitive parts of their record.

Class-action posture

As of this writing, no class-action complaint against Mount Rogers Community Services has been publicly indexed in the U.S. District Court for the Western District of Virginia in the open sources reviewed, and no plaintiff firm has publicly announced an investigation in the sources reviewed. INC Ransom’s posting of sample documents on its leak site — the kind of public exfiltration evidence that typically triggers plaintiff-firm interest — is documented in trade press (Cybernews, SC Media), so this page will be updated if filings appear.

What to do

  1. Read the letter. If you or a family member received services from Mount Rogers, watch for a letter mailed on or around June 13, 2025. It contains your enrollment code for free credit and identity monitoring through Kroll. If you believe you were affected but did not receive a letter, Mount Rogers directs you to email [email protected].
  2. Enroll in the offered Kroll monitoring. Full SSN is in scope for both patients and employees.
  3. Place free credit freezes at Equifax, Experian, and TransUnion. About ten minutes per bureau, and the single highest-leverage step against new-account identity theft.
  4. File IRS Form 14039 if you see signs of tax-refund fraud or receive an unexpected IRS notice. SSNs exposed alongside dates of birth are the exact ingredients for fraudulent tax filings.
  5. If your SUD or behavioral-health record was in the exfiltrated set, document any unauthorized re-disclosure you encounter. Under 42 CFR Part 2, you have stronger remedies for re-disclosure of SUD records than HIPAA alone provides.
  6. Stop the ongoing flow of your most sensitive treatment data. HealthConsent files HIPAA and 42 CFR Part 2 restriction requests so behavioral-health and SUD records exposed in incidents like this are not continuously re-shared downstream.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.