Oglethorpe, Inc. Data Breach 2025: 92,332 Behavioral Health & Addiction Treatment Patients Exposed · $350K Class Settlement · $32M DOJ Fraud Settlement
Oglethorpe, Inc., a Tampa, Florida-based behavioral health and addiction-treatment network operating Port St. Lucie Hospital, Ridgeview Behavioral Hospital, Springbrook Hospital, and The Blackberry Center, disclosed a May 15 to June 6, 2025 network intrusion that exfiltrated names, Social Security numbers, driver's license numbers, dates of birth, and medical information for 92,332 patients and employees. The OCR portal entry is dated August 5, 2025; notification letters mailed October 31, 2025; 12 months TransUnion Cyberscout credit monitoring offered. A consolidated class action in Broward County, FL has reached a $350,000 settlement with final approval set for June 22, 2026.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
May 15, 2025
Initial unauthorized access to Oglethorpe's network
Jun 6, 2025
Intrusion detected; network briefly inoperable; third-party forensics engaged; FBI notified
Aug 5, 2025
HHS OCR breach portal entry filed (92,332 affected; Hacking/IT Incident; Network Server)
Sep 16, 2025
Forensic investigation concluded; PHI exfiltration confirmed
Oct 23, 2025
Data and address review completed; specific data elements and individuals identified
Oct 31, 2025
Individual notification letters mailed; Maine AG (85 residents) and other state AG filings submitted
Mar 10, 2026
Preliminary approval of $350K class settlement, Scott et al. v. Oglethorpe, Inc., CACE25018319 (Broward County, FL)
May 27, 2026
DOJ announces $32M False Claims Act settlement — Oglethorpe, founder Robert Cohen, CEO John Picciano, and COO James O'Shea resolve Medicare overpayment fraud allegations; 10-year Medicare/Medicaid exclusion begins July 2026
Jun 8, 2026
Exclusion / objection deadline (Scott v. Oglethorpe)
Jun 22, 2026
Final approval fairness hearing (Scott v. Oglethorpe)
Jul 8, 2026
Class settlement claim submission deadline
May 15, 2025
Initial unauthorized access to Oglethorpe's network
Jun 6, 2025
Intrusion detected; network briefly inoperable; third-party forensics engaged; FBI notified
Aug 5, 2025
HHS OCR breach portal entry filed (92,332 affected; Hacking/IT Incident; Network Server)
Sep 16, 2025
Forensic investigation concluded; PHI exfiltration confirmed
Oct 23, 2025
Data and address review completed; specific data elements and individuals identified
Oct 31, 2025
Individual notification letters mailed; Maine AG (85 residents) and other state AG filings submitted
Mar 10, 2026
Preliminary approval of $350K class settlement, Scott et al. v. Oglethorpe, Inc., CACE25018319 (Broward County, FL)
May 27, 2026
DOJ announces $32M False Claims Act settlement — Oglethorpe, founder Robert Cohen, CEO John Picciano, and COO James O'Shea resolve Medicare overpayment fraud allegations; 10-year Medicare/Medicaid exclusion begins July 2026
Jun 8, 2026
Exclusion / objection deadline (Scott v. Oglethorpe)
Jun 22, 2026
Final approval fairness hearing (Scott v. Oglethorpe)
Jul 8, 2026
Class settlement claim submission deadline
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Oglethorpe, Inc. is a Tampa, Florida-based behavioral health management company founded in 1999 that operates psychiatric hospitals and addiction-recovery facilities across Florida, Louisiana, and Ohio. Between May 15 and June 6, 2025, an unauthorized actor was inside Oglethorpe’s network. The company filed with HHS OCR on August 5, 2025, listing 92,332 affected individuals in a Hacking/IT Incident at a Network Server, and began mailing notification letters on October 31, 2025. Consolidated class litigation in Broward County, Florida has since reached a settlement of up to $350,000, with a final fairness hearing set for June 22, 2026.
Separately, on May 27, 2026, the U.S. Department of Justice announced that Oglethorpe, its founder and principal owner Robert Cohen, CEO John Picciano, and COO James O’Shea agreed to pay $32 million to resolve False Claims Act allegations. The DOJ alleged that the defendants knowingly failed to return Medicare overpayments — identified by their own consultants — for patients admitted to Oglethorpe’s Ohio facilities (Ridgeview Behavioral Hospital, Georgetown Behavioral Hospital, and The Woods at Parkside substance abuse clinic) who did not qualify for inpatient psychiatric care. The conduct spanned 2021 through 2025 and violated a Corporate Integrity Agreement Oglethorpe had entered in 2021 after a prior FCA settlement. As a consequence, Oglethorpe, Cohen, Picciano, and O’Shea agreed to a 10-year voluntary exclusion from Medicare, Medicaid, and all federal healthcare programs, effective July 2026. The qui tam suit was filed by four former Oglethorpe employees including a registered nurse, former chief fiscal officer, former regional director of operations, and former director of financial operations.
Timeline
- May 15, 2025 — Unauthorized third-party access to Oglethorpe’s IT environment begins.
- June 6, 2025 — Intrusion detected. The network is briefly rendered inoperable. Oglethorpe engages third-party cybersecurity forensics experts, wipes and rebuilds affected systems from backup, and notifies the FBI.
- August 5, 2025 — HHS OCR breach portal entry filed: 92,332 affected, Hacking/IT Incident, Network Server.
- September 16, 2025 — Forensic investigation concludes; Oglethorpe confirms that protected health information was exfiltrated from the network.
- October 23, 2025 — Document and address review complete; specific data elements and impacted individuals identified.
- October 31, 2025 — Individual notification letters mailed; Maine Attorney General filing identifies 85 Maine residents; additional state AG filings submitted.
- November 2025 — Local Tampa press coverage (WTSP) and trade press (HIPAA Journal, BankInfoSecurity, ClassAction.org) publish detailed accounts.
- March 10, 2026 — Circuit Court for Broward County, Florida grants preliminary approval of the class settlement in Scott et al. v. Oglethorpe, Inc., Case No. CACE25018319.
- May 27, 2026 — DOJ announces $32M False Claims Act settlement against Oglethorpe and three named executives for Medicare overpayment fraud at Ohio facilities; 10-year Medicare/Medicaid exclusion takes effect July 2026.
- June 8, 2026 — Deadline for class members to exclude themselves or object.
- June 22, 2026 — Final approval (fairness) hearing scheduled.
- July 8, 2026 — Class settlement claim submission deadline.
What was exposed
Per Oglethorpe’s notification letters and the Maine AG filing, the data elements involved vary by individual but may include:
- First and last name
- Date of birth
- Social Security number
- Driver’s license or state identification number
- Medical information
Oglethorpe states it has no evidence of misuse to date. That does not change the fact that full Social Security numbers paired with medical-treatment context are in scope for approximately 92,000 people across a four-month window before notification.
Sensitive-population note: behavioral health and addiction-treatment records
The affected facilities are not general-purpose clinics. Public reporting and Oglethorpe’s own marketing identify the hospitals in the company’s network as:
- Port St. Lucie Hospital (Port St. Lucie, FL) — a 75-bed inpatient mental health facility
- Springbrook Hospital (Brooksville, FL) — a 66-bed Baker Act receiving facility for adult and geriatric psychiatric care
- The Blackberry Center (St. Cloud, FL) — a 64-bed inpatient mental health and addiction recovery facility, including the Heroes’ Mile program for veterans with PTSD and substance use disorder
- The Willough at Naples (Naples, FL) — adult mental health rehabilitation
- Ridgeview Behavioral Hospital (Middleburg Heights, OH) — inpatient psychiatric and chemical dependency
Records held by these facilities almost certainly include data about psychiatric admissions, substance use disorder treatment, medications, and diagnoses. For programs that meet the definition of a federally-assisted substance use disorder program, those records would carry 42 CFR Part 2 protection in addition to HIPAA. Part 2 imposes stricter consent and re-disclosure rules; under the unified Part 2 / HIPAA rule effective February 16, 2026, the HHS Office for Civil Rights is the enforcing agency. Oglethorpe’s public notice does not address whether Part 2-protected records were in the compromised file set.
What Oglethorpe is offering
Direct from Oglethorpe (via the notification letter):
- 12 months of complimentary TransUnion Cyberscout single-bureau credit monitoring, credit-report, and credit-score services.
- A dedicated incident call center and substitute notice on the company’s website.
- General recommendations to obtain free credit reports, place fraud alerts, and consider security freezes. The entity-funded offering does not include identity-theft insurance or medical-identity monitoring.
Through the class settlement (separate from the above):
All settlement class members automatically receive one year of CyEx Medical Shield Complete medical data monitoring at no cost. Per the official settlement FAQ, the monitoring covers healthcare insurance ID exposure, Medical Record Number (MRN) exposure, and unauthorized Health Savings Account (HSA) spending, and includes a $1,000,000 medical identity theft insurance policy. Enrollment codes have been sent by postcard to class members; those who did not receive one should contact the settlement administrator.
Settlement administrator contact:
- Website: oglethorpe2025dataincident.com
- Phone: 888-406-0861 (toll-free, 24/7)
- Email: [email protected]
- Mail: Oglethorpe Data Incident Settlement, c/o Settlement Administrator, PO Box 25191, Santa Ana, CA 92799-9958
Class-action posture
Multiple putative class actions were filed and consolidated in the Circuit Court of the 17th Judicial Circuit, Broward County, Florida under the caption Scott, et al. v. Oglethorpe, Inc., Case No. CACE25018319. Plaintiff firms publicly investigating or representing class members include Wolf Haldenstein Adler Freeman & Herz; Lynch Carpenter; Murphy Law Firm; Kantrowitz, Goldhamer, Graifman, Perlmutter & Carballo; Schubert Jonckheer & Kolbe; Gibbs Law Group; and Emery Reddy. The lawsuits alleged breach of implied contract, unjust enrichment, negligence, and negligence per se. Oglethorpe denies wrongdoing.
Oglethorpe has agreed to a settlement whose structure includes: a $350,000 cash fund for class members; $500,000 in attorneys’ fees and costs; $1,500 service awards for each of the 10 class representatives ($15,000 total); administration and notice costs; and CyEx Medical Shield Complete medical monitoring for all class members. Preliminary approval was granted on March 10, 2026. Settlement notice was mailed April 9, 2026.
Eligible losses for Option A (documented losses) must have occurred between June 1, 2025 and July 8, 2026 and include unreimbursed costs from identity theft or fraud, credit-report or monitoring fees, ID-replacement costs, and postage for contacting financial institutions. Bank statements or receipts are required; self-prepared notes alone are not sufficient but may supplement other documentation.
Key deadlines:
- June 8, 2026 — exclusion or objection deadline.
- June 22, 2026 — final approval fairness hearing.
- July 8, 2026 — claim submission deadline (online at oglethorpe2025dataincident.com or by mail).
What to do if you may be affected
- File a settlement claim before July 8, 2026. File online at oglethorpe2025dataincident.com using the unique ID and PIN from your settlement notice, or download and mail the PDF claim form. If you cannot locate your ID and PIN, contact the settlement administrator at 888-406-0861 (24/7) or [email protected]. Choose Option A if you can document out-of-pocket losses (up to $2,500); choose Option B for the $75 flat cash payment with no documentation required.
- Activate your CyEx Medical Shield Complete monitoring. Enrollment codes were sent by postcard in April 2026. This covers medical identity theft, MRN exposure, insurance ID fraud, and HSA unauthorized spending, with a $1M insurance policy — and stacks with the separate TransUnion Cyberscout credit monitoring offered in your Oglethorpe notification letter.
- Place free credit freezes at Equifax, Experian, and TransUnion. Full SSN is in scope; a freeze is the single highest-leverage control against new-account fraud.
- File IRS Form 14039 if your tax return is rejected for duplicate filing. SSN-driven tax-refund fraud is a known downstream risk.
- Watch every Explanation of Benefits. Because medical information was in scope, request a copy of your medical record from your insurer if you see services you did not receive.
- Note the Medicare fraud context. The DOJ’s May 2026 settlement found Oglethorpe admitted Ohio patients who did not qualify for inpatient psychiatric care and billed Medicare for those stays. If you received care at Ridgeview Behavioral Hospital (Middleburg Heights, OH), Georgetown Behavioral Hospital, or The Woods at Parkside, review your Medicare Summary Notice or Explanation of Benefits for any billed services you did not authorize or receive.
- Document any unauthorized re-disclosure of your psychiatric or substance-use-disorder records. For Part 2-covered programs, private remedies for unauthorized re-disclosure are stronger than under HIPAA alone.
- Stop the ongoing flow of your behavioral health data. HealthConsent files HIPAA restriction requests so the psychiatric and substance-use-disorder records exposed in this breach are not continuously re-shared across insurance networks, clearinghouses, and downstream analytics vendors.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (92,332 affected; Hacking/IT Incident; Network Server; reported 2025-08-05).
- HIPAA Journal — Oglethorpe Hacking Incident Affects more than 92,000 Patients — incident timeline, exposed data elements, credit-monitoring offering, FBI notification.
- HIPAA Journal — Oglethorpe Settles Data Breach Lawsuit — $350K settlement terms, court, deadlines.
- ClassAction.org — Up to $350K Oglethorpe Settlement Resolves Class Action Over June 2025 Data Breach — case caption, case number, claim and approval deadlines.
- ClassAction.org — Oglethorpe Data Breach Impacts 92K; Medical, Personal Info Affected — affected-facility list and exposed data inventory.
- BankInfoSecurity — Data Theft Hits Behavioral Health Network in 3 States — three-state footprint, network rebuild, FBI notification.
- WTSP (Tampa CBS) — Tampa-based addiction treatment company Oglethorpe admits to data breach — local trade press confirmation.
- The Daily Hodl — 92,332 Americans Affected After ‘Data Security Incident’ Hits Healthcare Firm — independent confirmation of affected count.
- TopClassActions — $350K Oglethorpe Data Breach Class Action Settlement — class-member benefits and claim mechanics.
- Oglethorpe, Inc. corporate site — entity self-description and facility list.
- U.S. Department of Justice — Oglethorpe Inc. and Top Executives Agree to Pay $32M to Resolve False Claims Act Allegations — Medicare overpayment fraud, 10-year exclusion, named executives.
- Oglethorpe Data Incident Settlement — Official Court-Authorized Site — settlement administrator, CyEx Medical Shield Complete monitoring details, claim deadlines, payout options.
- JD Supra / King & Spalding — DOJ FCA Settlement with Psychiatric Hospital Operator (June 1, 2026) — trade-press analysis, Ohio facilities identified, CIA violation context.
- Florin Gray — Clients Part of $32M False Claims Act Settlement Involving Oglethorpe Inc. — whistleblower relator context, executive personal liability provisions.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Oglethorpe Hacking Incident Affects more than 92,000 Patients
- HIPAA Journal — Oglethorpe Settles Data Breach Lawsuit
- ClassAction.org — Up to $350K Oglethorpe Settlement Resolves Class Action Over June 2025 Data Breach
- ClassAction.org — Oglethorpe Data Breach Impacts 92K; Medical, Personal Info Affected
- BankInfoSecurity — Data Theft Hits Behavioral Health Network in 3 States
- WTSP (Tampa CBS) — Tampa-based addiction treatment company Oglethorpe admits to data breach
- The Daily Hodl — 92,332 Americans Affected After 'Data Security Incident' Hits Healthcare Firm
- TopClassActions — $350K Oglethorpe Data Breach Class Action Settlement
- Oglethorpe, Inc. corporate site (facility list)
- U.S. Department of Justice — Oglethorpe Inc. and Top Executives Agree to Pay $32M to Resolve False Claims Act Allegations
- Oglethorpe Data Incident Settlement — Official Court-Authorized Site (oglethorpe2025dataincident.com)
- JD Supra / King & Spalding — DOJ FCA Settlement with Psychiatric Hospital Operator
- Florin Gray — Clients Part of $32M False Claims Act Settlement Involving Oglethorpe Inc.
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.