Active breach tracker Richmond, Virginia Disclosed November 28, 2025

Richmond Behavioral Health Authority Data Breach 2025 (Qilin Ransomware): 113,232 VA Behavioral-Health Patients Exposed. No Credit Monitoring Offered. What To Do

Richmond Behavioral Health Authority (RBHA) disclosed a Qilin ransomware attack on September 29, 2025 that exposed names, Social Security numbers, passport numbers, financial account data, and health information of 113,232 individuals. RBHA offered no credit monitoring. Multiple class actions filed in the Eastern District of Virginia. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 29, 2025

Threat actor first accessed RBHA's network and later deployed ransomware encrypting files

Sep 30, 2025

RBHA discovered the unauthorized access and engaged IT and outside cybersecurity counsel

Oct 15, 2025

Qilin ransomware group claimed responsibility in mid-October, adding RBHA to its Tor-based leak site

Nov 28, 2025

RBHA reported the breach to the HHS Office for Civil Rights (113,232 individuals)

Dec 4, 2025

Individual notification letters mailed to affected persons (66 days after initial access, exceeding HIPAA's 60-day window)

Dec 17, 2025

RBHA filed breach notification with the Massachusetts Attorney General's office

Dec 18, 2025

Shanequa Reed filed putative class action Reed v. RBHA (3:25-cv-01037, E.D. Va.); Lynch Carpenter LLP announced investigation

Jan 2, 2026

Kara Toney filed a second putative class action in E.D. Va.; Nathan Custalow-Hall filed a third suit

Jan 29, 2026

Daniel Guevara (pro se) filed a fourth civil action, Guevara v. RBHA (3:26-cv-00075, E.D. Va.)

Feb 17, 2026

Reed voluntarily dismissed her case (3:25-cv-01037) after RBHA moved to dismiss and Reed filed an amended complaint

Mar 23, 2026

RBHA moved to dismiss the Guevara case for lack of jurisdiction; case pending before Judge David J. Novak

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security number Passport number

03

Contact & insurance

Phishing + targeted scams

Full name Financial account information Medical / health information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Lynch Carpenter LLP (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Richmond Behavioral Health Authority (RBHA) is the public community services board for the City of Richmond, Virginia, providing mental health, intellectual disability, and substance use disorder services. On September 29, 2025, threat actors gained access to RBHA’s network and deployed ransomware that encrypted files; RBHA detected the intrusion the next day. After a forensic review, RBHA reported the incident to the HHS Office for Civil Rights on November 28, 2025 and began mailing individual notification letters on December 4, 2025. The breach affected 113,232 individuals. The Qilin ransomware-as-a-service group claimed responsibility in mid-October 2025, said it exfiltrated 192 GB of data (more than 393,000 files), and published the stolen files on its dark-web leak site. RBHA notified at least 14 state attorneys general of the breach and filed notices with the Massachusetts AG on December 17, 2025. RBHA offered no credit monitoring to affected individuals. Multiple civil actions have been filed in the Eastern District of Virginia; one was voluntarily dismissed and others remain active.

Timeline

  • September 29, 2025 — Initial unauthorized network access; ransomware later deployed, encrypting portions of RBHA’s environment.
  • September 30, 2025 — RBHA discovers the incident and engages internal IT plus outside cybersecurity counsel.
  • Mid-October 2025 — Qilin ransomware group claims the RBHA attack on its Tor-based leak site and begins publishing the exfiltrated data (192 GB, 393,000+ files per SecurityWeek).
  • November 28, 2025 — RBHA reports the breach to the HHS Office for Civil Rights, listing 113,232 affected individuals and “Network Server” as the location of the breached information.
  • December 4, 2025 — RBHA begins mailing notification letters to affected individuals, 66 days after initial access, exceeding HIPAA’s 60-day notification window.
  • December 17, 2025 — RBHA notifies the Massachusetts Attorney General’s office (one of at least 14 state AG filings confirmed by multi-state disclosure records).
  • December 18, 2025 — Plaintiff Shanequa Reed files Reed v. RBHA (3:25-cv-01037, E.D. Va.); Lynch Carpenter LLP announces a separate investigation into claims.
  • January 2, 2026 — Plaintiff Kara Toney files a second putative class action in E.D. Va.; plaintiff Nathan Custalow-Hall files a third suit around the same time.
  • January 29, 2026 — Daniel Guevara (pro se, Shreveport, LA) files Guevara v. RBHA (3:26-cv-00075, E.D. Va.) as a fourth civil action seeking injunctive relief and production of investigative materials.
  • February 3, 2026 — Judge David J. Novak denies Guevara’s emergency motion for a preliminary injunction.
  • February 17, 2026 — Shanequa Reed voluntarily dismisses Reed v. RBHA (3:25-cv-01037) after RBHA moved to dismiss and Reed filed an amended complaint.
  • March 23, 2026 — RBHA moves to dismiss the Guevara case for lack of jurisdiction; case pending.

What was exposed

Per RBHA’s own notice and corroborating trade-press reporting, the files involved contained one or more of the following per individual:

  • Full name
  • Social Security number
  • Passport number
  • Financial account information
  • Medical / health information

RBHA’s notice qualifies that it found “no definitive evidence” of access to specific patient records, but mailed notices “out of an abundance of caution” — language consistent with a forensic review that confirms exposure of files containing the categories above without per-record proof of viewing. Qilin’s leak post and screenshots indicate at least some patient-level data was exfiltrated and published.

Sensitive-population considerations (behavioral health, SUD, 42 CFR Part 2)

RBHA is a community services board whose service mix expressly includes substance use disorder treatment. Records created or maintained by federally assisted SUD treatment programs are protected by 42 CFR Part 2, a confidentiality regime that is meaningfully stricter than HIPAA — and that, since the 2024 HHS final rule (compliance deadline February 16, 2026), carries its own breach-notification expectations layered on top of HIPAA. Several practical implications follow for individuals notified by RBHA:

  • A Part 2 breach is more damaging than a typical PHI breach. Part 2 was written precisely because the existence of SUD treatment — independent of any clinical detail — can drive employment, custody, immigration, and insurance harm. Disclosure that an individual is in RBHA’s system at all can be sensitive.
  • Behavioral-health metadata is sensitive even without diagnosis text. Appointment logs, provider names, billing codes, and program identifiers can imply diagnosis or treatment type.
  • Identity-theft risk compounds. SSN + passport + financial account + medical record numbers in one set is a high-value bundle for both financial fraud and medical identity theft (fraudulent billing, controlled-substance prescriptions in a victim’s name).
  • Heightened spam, phishing, and social-engineering risk is documented in the early plaintiffs’ allegations, including spam-call surges and account-login attempts in the weeks after the breach.

If you are an RBHA client or were a client of a predecessor program, treat any unsolicited contact referencing your behavioral-health care, billing, or “verification” as suspect until verified through a known RBHA phone number.

Class-action posture

As of June 2026, at least four civil actions have been filed against RBHA in the U.S. District Court for the Eastern District of Virginia, with one dismissed and others still active:

  • Reed v. Richmond Behavioral Health Authority (3:25-cv-01037) — filed December 18, 2025 by Shanequa Reed, who alleged three unauthorized charges to her checking account and attempted unauthorized logins after the breach. RBHA moved to dismiss. Reed filed an amended complaint and then voluntarily dismissed the case on February 17, 2026. RBHA was represented by Wilfredo Bonilla Jr. of Crenshaw, Ware & Martin, P.L.C.
  • Toney v. Richmond Behavioral Health Authority — filed January 2, 2026 by Kara Toney in E.D. Va.; plaintiff alleges a spike in spam calls and ongoing identity-theft exposure from behavioral-health records she says are “particularly likely to be used in detrimental ways.”
  • Custalow-Hall v. Richmond Behavioral Health Authority — filed around the same time as Toney; plaintiff Nathan Custalow-Hall alleges affected individuals “now face years of constant surveillance of their financial and personal records.”
  • Guevara v. Richmond Behavioral Health Authority (3:26-cv-00075) — filed January 29, 2026 by Daniel Guevara (pro se, Shreveport, LA) as a civil-rights action under 42 U.S.C. § 1983. Guevara sought injunctive relief compelling production of investigative materials. Judge David J. Novak denied a preliminary injunction on February 3, 2026. RBHA moved to dismiss for lack of jurisdiction on March 23, 2026; that motion was pending as of last update.

Lynch Carpenter LLP, a national class-action firm, announced a separate investigation into claims against RBHA on December 18, 2025 (GlobeNewswire).

Common allegations across the representative complaints: RBHA failed to take reasonable cybersecurity precautions commensurate with the sensitivity of behavioral-health and SUD records, and RBHA’s notification was untimely at 66 days after access, six days past HIPAA’s 60-day outer limit.

What RBHA is offering

RBHA’s breach notice told affected individuals to “remain vigilant against incidents of identity theft and fraud” and to review account statements. RBHA did not offer complimentary credit monitoring or identity-protection services. This absence is notable given the sensitivity of the data involved, SSN, passport number, and behavioral-health records, and is a focal point of the civil litigation.

What to do

If you received an RBHA notification letter, or were ever served by RBHA and have not yet received one, the following steps are appropriate:

  1. Freeze your credit with all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). Free, takes about ten minutes each, and is the single highest-leverage protection against new-account fraud. With SSN and passport data confirmed in the exposed set, a freeze is the baseline. Because RBHA offered no monitoring, you must take this step yourself.
  2. File IRS Form 14039 (Identity Theft Affidavit) to put the IRS on notice that your SSN has been exposed. This flags your tax account for suspicious return activity.
  3. Watch financial accounts and explanation-of-benefits statements closely for unauthorized activity. Report any charge or claim you do not recognize within 60 days to preserve dispute rights.
  4. If your passport number was exposed, contact the U.S. Department of State. A passport replacement is worth considering if the SSN and passport combination has already been published in the Qilin leak set.
  5. Be skeptical of phone calls, texts, and emails referencing RBHA, mental-health care, or “incident response.” Threat actors use breach-victim lists for targeted phishing. Verify any caller through a known RBHA number (804-819-4000), not one provided in an unsolicited message.
  6. Preserve your notification letter and any related correspondence. It is the evidence of record for regulator complaints and class-action participation.
  7. Stop the ongoing flow of your behavioral-health data. HealthConsent files HIPAA restriction requests so the mental-health, SUD, and clinical records exposed in this breach are not continuously re-shared across payers, clearinghouses, and information exchanges.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.