Richmond Behavioral Health Authority Data Breach 2025 (Qilin Ransomware): 113,232 VA Behavioral-Health Patients Exposed. No Credit Monitoring Offered. What To Do
Richmond Behavioral Health Authority (RBHA) disclosed a Qilin ransomware attack on September 29, 2025 that exposed names, Social Security numbers, passport numbers, financial account data, and health information of 113,232 individuals. RBHA offered no credit monitoring. Multiple class actions filed in the Eastern District of Virginia. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Sep 29, 2025
Threat actor first accessed RBHA's network and later deployed ransomware encrypting files
Sep 30, 2025
RBHA discovered the unauthorized access and engaged IT and outside cybersecurity counsel
Oct 15, 2025
Qilin ransomware group claimed responsibility in mid-October, adding RBHA to its Tor-based leak site
Nov 28, 2025
RBHA reported the breach to the HHS Office for Civil Rights (113,232 individuals)
Dec 4, 2025
Individual notification letters mailed to affected persons (66 days after initial access, exceeding HIPAA's 60-day window)
Dec 17, 2025
RBHA filed breach notification with the Massachusetts Attorney General's office
Dec 18, 2025
Shanequa Reed filed putative class action Reed v. RBHA (3:25-cv-01037, E.D. Va.); Lynch Carpenter LLP announced investigation
Jan 2, 2026
Kara Toney filed a second putative class action in E.D. Va.; Nathan Custalow-Hall filed a third suit
Jan 29, 2026
Daniel Guevara (pro se) filed a fourth civil action, Guevara v. RBHA (3:26-cv-00075, E.D. Va.)
Feb 17, 2026
Reed voluntarily dismissed her case (3:25-cv-01037) after RBHA moved to dismiss and Reed filed an amended complaint
Mar 23, 2026
RBHA moved to dismiss the Guevara case for lack of jurisdiction; case pending before Judge David J. Novak
Sep 29, 2025
Threat actor first accessed RBHA's network and later deployed ransomware encrypting files
Sep 30, 2025
RBHA discovered the unauthorized access and engaged IT and outside cybersecurity counsel
Oct 15, 2025
Qilin ransomware group claimed responsibility in mid-October, adding RBHA to its Tor-based leak site
Nov 28, 2025
RBHA reported the breach to the HHS Office for Civil Rights (113,232 individuals)
Dec 4, 2025
Individual notification letters mailed to affected persons (66 days after initial access, exceeding HIPAA's 60-day window)
Dec 17, 2025
RBHA filed breach notification with the Massachusetts Attorney General's office
Dec 18, 2025
Shanequa Reed filed putative class action Reed v. RBHA (3:25-cv-01037, E.D. Va.); Lynch Carpenter LLP announced investigation
Jan 2, 2026
Kara Toney filed a second putative class action in E.D. Va.; Nathan Custalow-Hall filed a third suit
Jan 29, 2026
Daniel Guevara (pro se) filed a fourth civil action, Guevara v. RBHA (3:26-cv-00075, E.D. Va.)
Feb 17, 2026
Reed voluntarily dismissed her case (3:25-cv-01037) after RBHA moved to dismiss and Reed filed an amended complaint
Mar 23, 2026
RBHA moved to dismiss the Guevara case for lack of jurisdiction; case pending before Judge David J. Novak
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Richmond Behavioral Health Authority (RBHA) is the public community services board for the City of Richmond, Virginia, providing mental health, intellectual disability, and substance use disorder services. On September 29, 2025, threat actors gained access to RBHA’s network and deployed ransomware that encrypted files; RBHA detected the intrusion the next day. After a forensic review, RBHA reported the incident to the HHS Office for Civil Rights on November 28, 2025 and began mailing individual notification letters on December 4, 2025. The breach affected 113,232 individuals. The Qilin ransomware-as-a-service group claimed responsibility in mid-October 2025, said it exfiltrated 192 GB of data (more than 393,000 files), and published the stolen files on its dark-web leak site. RBHA notified at least 14 state attorneys general of the breach and filed notices with the Massachusetts AG on December 17, 2025. RBHA offered no credit monitoring to affected individuals. Multiple civil actions have been filed in the Eastern District of Virginia; one was voluntarily dismissed and others remain active.
Timeline
- September 29, 2025 — Initial unauthorized network access; ransomware later deployed, encrypting portions of RBHA’s environment.
- September 30, 2025 — RBHA discovers the incident and engages internal IT plus outside cybersecurity counsel.
- Mid-October 2025 — Qilin ransomware group claims the RBHA attack on its Tor-based leak site and begins publishing the exfiltrated data (192 GB, 393,000+ files per SecurityWeek).
- November 28, 2025 — RBHA reports the breach to the HHS Office for Civil Rights, listing 113,232 affected individuals and “Network Server” as the location of the breached information.
- December 4, 2025 — RBHA begins mailing notification letters to affected individuals, 66 days after initial access, exceeding HIPAA’s 60-day notification window.
- December 17, 2025 — RBHA notifies the Massachusetts Attorney General’s office (one of at least 14 state AG filings confirmed by multi-state disclosure records).
- December 18, 2025 — Plaintiff Shanequa Reed files Reed v. RBHA (3:25-cv-01037, E.D. Va.); Lynch Carpenter LLP announces a separate investigation into claims.
- January 2, 2026 — Plaintiff Kara Toney files a second putative class action in E.D. Va.; plaintiff Nathan Custalow-Hall files a third suit around the same time.
- January 29, 2026 — Daniel Guevara (pro se, Shreveport, LA) files Guevara v. RBHA (3:26-cv-00075, E.D. Va.) as a fourth civil action seeking injunctive relief and production of investigative materials.
- February 3, 2026 — Judge David J. Novak denies Guevara’s emergency motion for a preliminary injunction.
- February 17, 2026 — Shanequa Reed voluntarily dismisses Reed v. RBHA (3:25-cv-01037) after RBHA moved to dismiss and Reed filed an amended complaint.
- March 23, 2026 — RBHA moves to dismiss the Guevara case for lack of jurisdiction; case pending.
What was exposed
Per RBHA’s own notice and corroborating trade-press reporting, the files involved contained one or more of the following per individual:
- Full name
- Social Security number
- Passport number
- Financial account information
- Medical / health information
RBHA’s notice qualifies that it found “no definitive evidence” of access to specific patient records, but mailed notices “out of an abundance of caution” — language consistent with a forensic review that confirms exposure of files containing the categories above without per-record proof of viewing. Qilin’s leak post and screenshots indicate at least some patient-level data was exfiltrated and published.
Sensitive-population considerations (behavioral health, SUD, 42 CFR Part 2)
RBHA is a community services board whose service mix expressly includes substance use disorder treatment. Records created or maintained by federally assisted SUD treatment programs are protected by 42 CFR Part 2, a confidentiality regime that is meaningfully stricter than HIPAA — and that, since the 2024 HHS final rule (compliance deadline February 16, 2026), carries its own breach-notification expectations layered on top of HIPAA. Several practical implications follow for individuals notified by RBHA:
- A Part 2 breach is more damaging than a typical PHI breach. Part 2 was written precisely because the existence of SUD treatment — independent of any clinical detail — can drive employment, custody, immigration, and insurance harm. Disclosure that an individual is in RBHA’s system at all can be sensitive.
- Behavioral-health metadata is sensitive even without diagnosis text. Appointment logs, provider names, billing codes, and program identifiers can imply diagnosis or treatment type.
- Identity-theft risk compounds. SSN + passport + financial account + medical record numbers in one set is a high-value bundle for both financial fraud and medical identity theft (fraudulent billing, controlled-substance prescriptions in a victim’s name).
- Heightened spam, phishing, and social-engineering risk is documented in the early plaintiffs’ allegations, including spam-call surges and account-login attempts in the weeks after the breach.
If you are an RBHA client or were a client of a predecessor program, treat any unsolicited contact referencing your behavioral-health care, billing, or “verification” as suspect until verified through a known RBHA phone number.
Class-action posture
As of June 2026, at least four civil actions have been filed against RBHA in the U.S. District Court for the Eastern District of Virginia, with one dismissed and others still active:
- Reed v. Richmond Behavioral Health Authority (3:25-cv-01037) — filed December 18, 2025 by Shanequa Reed, who alleged three unauthorized charges to her checking account and attempted unauthorized logins after the breach. RBHA moved to dismiss. Reed filed an amended complaint and then voluntarily dismissed the case on February 17, 2026. RBHA was represented by Wilfredo Bonilla Jr. of Crenshaw, Ware & Martin, P.L.C.
- Toney v. Richmond Behavioral Health Authority — filed January 2, 2026 by Kara Toney in E.D. Va.; plaintiff alleges a spike in spam calls and ongoing identity-theft exposure from behavioral-health records she says are “particularly likely to be used in detrimental ways.”
- Custalow-Hall v. Richmond Behavioral Health Authority — filed around the same time as Toney; plaintiff Nathan Custalow-Hall alleges affected individuals “now face years of constant surveillance of their financial and personal records.”
- Guevara v. Richmond Behavioral Health Authority (3:26-cv-00075) — filed January 29, 2026 by Daniel Guevara (pro se, Shreveport, LA) as a civil-rights action under 42 U.S.C. § 1983. Guevara sought injunctive relief compelling production of investigative materials. Judge David J. Novak denied a preliminary injunction on February 3, 2026. RBHA moved to dismiss for lack of jurisdiction on March 23, 2026; that motion was pending as of last update.
Lynch Carpenter LLP, a national class-action firm, announced a separate investigation into claims against RBHA on December 18, 2025 (GlobeNewswire).
Common allegations across the representative complaints: RBHA failed to take reasonable cybersecurity precautions commensurate with the sensitivity of behavioral-health and SUD records, and RBHA’s notification was untimely at 66 days after access, six days past HIPAA’s 60-day outer limit.
What RBHA is offering
RBHA’s breach notice told affected individuals to “remain vigilant against incidents of identity theft and fraud” and to review account statements. RBHA did not offer complimentary credit monitoring or identity-protection services. This absence is notable given the sensitivity of the data involved, SSN, passport number, and behavioral-health records, and is a focal point of the civil litigation.
What to do
If you received an RBHA notification letter, or were ever served by RBHA and have not yet received one, the following steps are appropriate:
- Freeze your credit with all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). Free, takes about ten minutes each, and is the single highest-leverage protection against new-account fraud. With SSN and passport data confirmed in the exposed set, a freeze is the baseline. Because RBHA offered no monitoring, you must take this step yourself.
- File IRS Form 14039 (Identity Theft Affidavit) to put the IRS on notice that your SSN has been exposed. This flags your tax account for suspicious return activity.
- Watch financial accounts and explanation-of-benefits statements closely for unauthorized activity. Report any charge or claim you do not recognize within 60 days to preserve dispute rights.
- If your passport number was exposed, contact the U.S. Department of State. A passport replacement is worth considering if the SSN and passport combination has already been published in the Qilin leak set.
- Be skeptical of phone calls, texts, and emails referencing RBHA, mental-health care, or “incident response.” Threat actors use breach-victim lists for targeted phishing. Verify any caller through a known RBHA number (804-819-4000), not one provided in an unsolicited message.
- Preserve your notification letter and any related correspondence. It is the evidence of record for regulator complaints and class-action participation.
- Stop the ongoing flow of your behavioral-health data. HealthConsent files HIPAA restriction requests so the mental-health, SUD, and clinical records exposed in this breach are not continuously re-shared across payers, clearinghouses, and information exchanges.
Sources
- RBHA Data Security Website Notice (rbha.org) — primary entity disclosure, including dates of access, detection, the data categories involved, and the absence of any credit-monitoring offer.
- HHS Office for Civil Rights Breach Portal — federal regulatory record (113,232 individuals; Hacking/IT Incident; Network Server; submitted November 28, 2025).
- HIPAA Journal — Major Data Breach Announced by Richmond Behavioral Health Authority — trade-press summary of timeline, exposed data categories, and Qilin attribution.
- SecurityWeek — 113,000 Impacted by Data Breach at Virginia Mental Health Authority — confirms Qilin claimed the attack in mid-October 2025 and published 192 GB / 393,000+ files.
- The Richmonder — Behavioral health authority now faces three class-action suits over data breach — local-press reporting on the civil actions, plaintiff names, court, and alleged harms.
- Comparitech — Richmond, VA mental health service notifies 113,000+ people of data breach — cross-confirmation of figures, timeline, and Qilin’s 192 GB exfiltration claim.
- WRIC ABC 8News — RBHA ransomware data security incident — Richmond-market broadcast coverage of the initial disclosure.
- GlobeNewswire — Lynch Carpenter LLP Investigating Richmond Behavioral Health Authority Data Breach — confirms Lynch Carpenter investigation announced December 18, 2025.
- PacerMonitor — Reed v. Richmond Behavioral Health Authority, 3:25-cv-01037 (E.D. Va.) — federal docket confirming Reed’s voluntary dismissal on February 17, 2026 and RBHA’s motion to dismiss.
- Justia — Guevara v. Richmond Behavioral Health Authority, 3:26-cv-00075 (E.D. Va.) — federal docket record.
- PacerMonitor — Guevara v. Richmond Behavioral Health Authority, 3:26-cv-00075 (E.D. Va.) — confirms Guevara is a separate pro se plaintiff; RBHA moved to dismiss for lack of jurisdiction March 23, 2026.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- RBHA Data Security Website Notice (rbha.org)
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Major Data Breach Announced by Richmond Behavioral Health Authority
- The Richmonder — Behavioral health authority now faces three class-action suits over data breach
- Comparitech — Richmond, VA mental health service notifies 113,000+ people of data breach
- WRIC ABC 8News — RBHA ransomware data security incident
- Justia — Guevara v. Richmond Behavioral Health Authority, 3:26-cv-00075 (E.D. Va.)
- SecurityWeek — 113,000 Impacted by Data Breach at Virginia Mental Health Authority
- PacerMonitor — Reed v. Richmond Behavioral Health Authority, 3:25-cv-01037 (E.D. Va.)
- PacerMonitor — Guevara v. Richmond Behavioral Health Authority, 3:26-cv-00075 (E.D. Va.)
- GlobeNewswire — Lynch Carpenter LLP Investigating Richmond Behavioral Health Authority Data Breach
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.