Rockhill Women's Care Data Breach 2025: 70,129 Patients Exposed in Qilin Ransomware Attack on OB-GYN Practice. What To Do.
Rockhill Women's Care, an OB-GYN practice with offices in Lee's Summit, Missouri and Overland Park, Kansas, detected a network intrusion on February 26, 2025. The Qilin ransomware group claimed responsibility days later and leaked a 20 GB sample of reproductive-health records. Notification letters went to 70,129 patients on or around September 30, 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 26, 2025
Rockhill Women's Care detects network intrusion; clinics close temporarily for 'technical difficulties'
Feb 27, 2025
Clinics reopen with ongoing technical-issue banner on the practice website
Mar 4, 2025
Qilin ransomware group claims responsibility on its dark-web leak site and posts a 20 GB sample of patient records
Aug 13, 2025
Data-mining file-review concludes; identification of affected individuals and exposed data elements complete
Sep 25, 2025
Rockhill files Hacking/IT Incident report with HHS OCR (Network Server, 70,129 affected)
Sep 30, 2025
Individual notification letters begin mailing; substitute notice and 1-833-855-4208 call center go live
Dec 1, 2025
Levi & Korsinsky publicly announces class-action investigation; Barnow and Associates follows
Feb 26, 2025
Rockhill Women's Care detects network intrusion; clinics close temporarily for 'technical difficulties'
Feb 27, 2025
Clinics reopen with ongoing technical-issue banner on the practice website
Mar 4, 2025
Qilin ransomware group claims responsibility on its dark-web leak site and posts a 20 GB sample of patient records
Aug 13, 2025
Data-mining file-review concludes; identification of affected individuals and exposed data elements complete
Sep 25, 2025
Rockhill files Hacking/IT Incident report with HHS OCR (Network Server, 70,129 affected)
Sep 30, 2025
Individual notification letters begin mailing; substitute notice and 1-833-855-4208 call center go live
Dec 1, 2025
Levi & Korsinsky publicly announces class-action investigation; Barnow and Associates follows
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Rockhill Women’s Care is an OB-GYN practice that has served the Kansas City metro since 1989, with offices in Lee’s Summit, Missouri and Overland Park, Kansas. On February 26, 2025, the practice detected a network intrusion that forced an unscheduled two-day closure of its clinics; the only public-facing communication at the time was a website banner referencing “technical difficulties.” Days later, on March 4, 2025, the Qilin ransomware-as-a-service group claimed responsibility on its dark-web leak portal and published a sample of what it said was roughly 20 GB of stolen records, including patient names, ages, addresses, phone numbers, insurance details, and partial medical histories with treatment information (per The Register’s contemporaneous reporting). Qilin set a deadline of March 11, 2025 and threatened to make the full dataset available for download if its demands were not met.
Rockhill engaged third-party forensics and notified law enforcement. A data-mining review of the affected files completed on August 13, 2025, and the practice filed its Hacking/IT Incident report with the U.S. Department of Health and Human Services Office for Civil Rights on September 25, 2025, reporting 70,129 affected individuals (location of breached information: Network Server). Individual notification letters began mailing on or around September 30, 2025.
Timeline
- February 26, 2025 — Network intrusion detected; clinics close temporarily.
- February 27, 2025 — Clinics reopen; website banner cites unresolved “technical issues.”
- March 4, 2025 — Qilin claims credit and posts a 20 GB sample of stolen records to its leak site; sets a March 11, 2025 download deadline.
- August 13, 2025 — Data-mining vendor concludes the file-review exercise identifying affected individuals and data elements.
- September 25, 2025 — Rockhill files the breach with HHS OCR (Hacking/IT Incident, Network Server, 70,129 affected).
- September 30, 2025 — Individual notification letters begin mailing; substitute notice and a dedicated call center (1-833-855-4208) go live.
- December 1, 2025 — Levi & Korsinsky publicly announces a class-action investigation; Barnow and Associates follows.
The roughly seven-month gap between detection on February 26 and OCR filing on September 25 sits well outside HIPAA’s 60-day notification clock. The practice attributes the delay to the time required to complete the data-mining file review.
What was exposed
Based on the official 2025 Security Notice and the individual notification letters, the exposed dataset includes one or more of the following per individual:
- Full name
- Address
- Date of birth
- Social Security number
- Medical treatment information (clinical content from an OB-GYN record)
- Health insurance information
The Register’s coverage of the Qilin leak sample described the posted records as containing patient ages, phone numbers, insurance carriers, partial medical histories, current conditions, and details of contraception procedures for patients as young as 16. Rockhill’s own notification does not enumerate clinical specifics. The leak-site sample is the basis for those details and is independently reported, not memory-only.
Payment card and bank account information have not been reported as part of the exposed dataset. The harm shape is medical identity theft and full-profile identity fraud for those whose SSNs were involved, plus the distinct privacy harm flowing from reproductive-health records being published to a criminal leak site.
Sensitive population: reproductive-health records on a public leak site
OB-GYN records are not generic PHI. They typically include pregnancy status, prenatal results, miscarriages, contraception, fertility treatment, and in some patient histories abortion care. Because Qilin’s extortion model is leak-driven, a sample of Rockhill records was already posted to the dark web in March 2025; the full 20 GB trove was threatened but the practice has not publicly confirmed final disposition.
For Missouri-located patients, the exposure landed against an unsettled state-law backdrop. Missouri’s near-total abortion ban was lifted by ballot Amendment 3 in late 2024, but state-level restrictions and ongoing litigation have continued. A handful of states (California, New York, Massachusetts, Washington, and others) have reproductive-health shield laws that limit cooperation with out-of-state investigations and restrict re-disclosure of reproductive-care records. Those statutes protect against state-actor demands. They do not undo a criminal leak.
At the federal level, the 2024 HIPAA Privacy Rule to Support Reproductive Health Care Privacy (89 Fed. Reg. 32976) added a special prohibition on disclosing PHI for investigations or proceedings against patients or providers for lawfully obtained reproductive care. That rule was vacated nationwide by the U.S. District Court for the Northern District of Texas in Purl v. U.S. Department of Health and Human Services on June 18, 2025, before Rockhill filed with OCR. The standard HIPAA Privacy Rule still governs the underlying breach response and OCR enforcement, but the reproductive-specific federal overlay is not currently in force.
The practical upshot for Rockhill patients: clinical content tied to your identity may already be in criminal hands. Credit freezes address the financial-fraud surface. They do not address the reproductive-privacy surface. The protective steps below acknowledge both.
What Rockhill Women’s Care is offering
Rockhill’s substitute notice and notification letters direct patients to a dedicated call center at 1-833-855-4208, Monday through Friday, 8 a.m. to 8 p.m. EST. The practice has stated it “takes patient privacy very seriously” and has “taken steps to enhance its security measures to prevent similar incidents.” Specific credit-monitoring duration is set out in each individual notification letter; the public substitute-notice text reviewed for this page does not enumerate a universal monitoring term, so check your letter for the enrollment code and deadline.
The practice has confirmed it filed with HHS OCR and with multiple state attorneys general (per ClaimDepot’s review, filings span at least California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington, reflecting the multistate residency of the affected population).
Class-action posture
As of this writing, no consolidated class action has been publicly docketed in the U.S. District Court for the Western District of Missouri or the District of Kansas. Two plaintiff firms have announced investigations:
- Levi & Korsinsky, LLP — first public investigation announcement on December 1, 2025, with renewed press releases on December 5 and December 8, 2025.
- Barnow and Associates, P.C. (Chicago) — soliciting affected patients for potential class-action representation.
Both firms typically file in the federal district where the defendant is headquartered or where the largest affected cohort resides; for Rockhill that would be W.D. Mo. (Kansas City) or D. Kan. (Overland Park / Kansas City, KS). Comparable OB-GYN breach litigation has resolved in the $900K to $2.4M range, though the reproductive-records overlay in Rockhill could push valuation higher.
What to do if you may be affected
This week:
- Place a free credit freeze at Equifax, Experian, and TransUnion. It takes about ten minutes per bureau and is the single highest-leverage protection against new-account fraud.
- Enroll in any complimentary credit monitoring offered in your notification letter. Use the enrollment code printed on the letter; do not let the deadline lapse.
- File IRS Form 14039 (Identity Theft Affidavit) if your letter lists your Social Security number as exposed. This blocks a fraudulent tax return being filed under your SSN.
- Call the dedicated line at 1-833-855-4208 (Mon to Fri, 8 a.m. to 8 p.m. EST) if you have not received a letter and believe you may be affected; the practice can confirm whether your records were involved.
This month:
- Review your Explanation of Benefits statements from your insurer for OB-GYN services you did not receive. Medical identity theft typically surfaces in EOBs weeks or months after the underlying fraud.
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the demographic and insurance information already exposed in this breach is not continuously re-shared and resold by other entities downstream.
- Decide on legal posture. If you intend to participate in or opt out of any future class action, save your notification letter and call-center reference number. Either of the firms listed above will record your information at no cost to preserve the option.
Sources
- HIPAA Journal — Rockhill Women’s Care & Harbor Regional Center Announce Data Breaches
- Rockhill Women’s Care — 2025 Security Notice (official PDF)
- The Register — Qilin claims attacks on cancer, women’s clinics
- Fox4 KC — Levi & Korsinsky, LLP Investigates Rockhill Women’s Care Data Breach
- Barnow and Associates — Rockhill Women’s Care Data Breach Investigation
- ClaimDepot — Rockhill Women’s Care Data Breach (2025)
- BlackFog — State of Ransomware: October 2025
- HHS Office for Civil Rights Breach Portal
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal — Rockhill Women's Care & Harbor Regional Center Announce Data Breaches
- Rockhill Women's Care — 2025 Security Notice (official PDF)
- The Register — Qilin claims attacks on cancer, women's clinics
- Fox4 KC — Levi & Korsinsky, LLP Investigates Rockhill Women's Care Data Breach
- Barnow and Associates — Rockhill Women's Care Data Breach Investigation
- ClaimDepot — Rockhill Women's Care Data Breach (2025)
- BlackFog — State of Ransomware: October 2025
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.