Active breach tracker Kansas City metro Disclosed September 25, 2025

Rockhill Women's Care Data Breach 2025: 70,129 Patients Exposed in Qilin Ransomware Attack on OB-GYN Practice. What To Do.

Rockhill Women's Care, an OB-GYN practice with offices in Lee's Summit, Missouri and Overland Park, Kansas, detected a network intrusion on February 26, 2025. The Qilin ransomware group claimed responsibility days later and leaked a 20 GB sample of reproductive-health records. Notification letters went to 70,129 patients on or around September 30, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 26, 2025

Rockhill Women's Care detects network intrusion; clinics close temporarily for 'technical difficulties'

Feb 27, 2025

Clinics reopen with ongoing technical-issue banner on the practice website

Mar 4, 2025

Qilin ransomware group claims responsibility on its dark-web leak site and posts a 20 GB sample of patient records

Aug 13, 2025

Data-mining file-review concludes; identification of affected individuals and exposed data elements complete

Sep 25, 2025

Rockhill files Hacking/IT Incident report with HHS OCR (Network Server, 70,129 affected)

Sep 30, 2025

Individual notification letters begin mailing; substitute notice and 1-833-855-4208 call center go live

Dec 1, 2025

Levi & Korsinsky publicly announces class-action investigation; Barnow and Associates follows

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Address Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Levi & Korsinsky, LLP Barnow and Associates, P.C.
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Rockhill Women’s Care is an OB-GYN practice that has served the Kansas City metro since 1989, with offices in Lee’s Summit, Missouri and Overland Park, Kansas. On February 26, 2025, the practice detected a network intrusion that forced an unscheduled two-day closure of its clinics; the only public-facing communication at the time was a website banner referencing “technical difficulties.” Days later, on March 4, 2025, the Qilin ransomware-as-a-service group claimed responsibility on its dark-web leak portal and published a sample of what it said was roughly 20 GB of stolen records, including patient names, ages, addresses, phone numbers, insurance details, and partial medical histories with treatment information (per The Register’s contemporaneous reporting). Qilin set a deadline of March 11, 2025 and threatened to make the full dataset available for download if its demands were not met.

Rockhill engaged third-party forensics and notified law enforcement. A data-mining review of the affected files completed on August 13, 2025, and the practice filed its Hacking/IT Incident report with the U.S. Department of Health and Human Services Office for Civil Rights on September 25, 2025, reporting 70,129 affected individuals (location of breached information: Network Server). Individual notification letters began mailing on or around September 30, 2025.

Timeline

  • February 26, 2025 — Network intrusion detected; clinics close temporarily.
  • February 27, 2025 — Clinics reopen; website banner cites unresolved “technical issues.”
  • March 4, 2025 — Qilin claims credit and posts a 20 GB sample of stolen records to its leak site; sets a March 11, 2025 download deadline.
  • August 13, 2025 — Data-mining vendor concludes the file-review exercise identifying affected individuals and data elements.
  • September 25, 2025 — Rockhill files the breach with HHS OCR (Hacking/IT Incident, Network Server, 70,129 affected).
  • September 30, 2025 — Individual notification letters begin mailing; substitute notice and a dedicated call center (1-833-855-4208) go live.
  • December 1, 2025 — Levi & Korsinsky publicly announces a class-action investigation; Barnow and Associates follows.

The roughly seven-month gap between detection on February 26 and OCR filing on September 25 sits well outside HIPAA’s 60-day notification clock. The practice attributes the delay to the time required to complete the data-mining file review.

What was exposed

Based on the official 2025 Security Notice and the individual notification letters, the exposed dataset includes one or more of the following per individual:

  • Full name
  • Address
  • Date of birth
  • Social Security number
  • Medical treatment information (clinical content from an OB-GYN record)
  • Health insurance information

The Register’s coverage of the Qilin leak sample described the posted records as containing patient ages, phone numbers, insurance carriers, partial medical histories, current conditions, and details of contraception procedures for patients as young as 16. Rockhill’s own notification does not enumerate clinical specifics. The leak-site sample is the basis for those details and is independently reported, not memory-only.

Payment card and bank account information have not been reported as part of the exposed dataset. The harm shape is medical identity theft and full-profile identity fraud for those whose SSNs were involved, plus the distinct privacy harm flowing from reproductive-health records being published to a criminal leak site.

Sensitive population: reproductive-health records on a public leak site

OB-GYN records are not generic PHI. They typically include pregnancy status, prenatal results, miscarriages, contraception, fertility treatment, and in some patient histories abortion care. Because Qilin’s extortion model is leak-driven, a sample of Rockhill records was already posted to the dark web in March 2025; the full 20 GB trove was threatened but the practice has not publicly confirmed final disposition.

For Missouri-located patients, the exposure landed against an unsettled state-law backdrop. Missouri’s near-total abortion ban was lifted by ballot Amendment 3 in late 2024, but state-level restrictions and ongoing litigation have continued. A handful of states (California, New York, Massachusetts, Washington, and others) have reproductive-health shield laws that limit cooperation with out-of-state investigations and restrict re-disclosure of reproductive-care records. Those statutes protect against state-actor demands. They do not undo a criminal leak.

At the federal level, the 2024 HIPAA Privacy Rule to Support Reproductive Health Care Privacy (89 Fed. Reg. 32976) added a special prohibition on disclosing PHI for investigations or proceedings against patients or providers for lawfully obtained reproductive care. That rule was vacated nationwide by the U.S. District Court for the Northern District of Texas in Purl v. U.S. Department of Health and Human Services on June 18, 2025, before Rockhill filed with OCR. The standard HIPAA Privacy Rule still governs the underlying breach response and OCR enforcement, but the reproductive-specific federal overlay is not currently in force.

The practical upshot for Rockhill patients: clinical content tied to your identity may already be in criminal hands. Credit freezes address the financial-fraud surface. They do not address the reproductive-privacy surface. The protective steps below acknowledge both.

What Rockhill Women’s Care is offering

Rockhill’s substitute notice and notification letters direct patients to a dedicated call center at 1-833-855-4208, Monday through Friday, 8 a.m. to 8 p.m. EST. The practice has stated it “takes patient privacy very seriously” and has “taken steps to enhance its security measures to prevent similar incidents.” Specific credit-monitoring duration is set out in each individual notification letter; the public substitute-notice text reviewed for this page does not enumerate a universal monitoring term, so check your letter for the enrollment code and deadline.

The practice has confirmed it filed with HHS OCR and with multiple state attorneys general (per ClaimDepot’s review, filings span at least California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington, reflecting the multistate residency of the affected population).

Class-action posture

As of this writing, no consolidated class action has been publicly docketed in the U.S. District Court for the Western District of Missouri or the District of Kansas. Two plaintiff firms have announced investigations:

  • Levi & Korsinsky, LLP — first public investigation announcement on December 1, 2025, with renewed press releases on December 5 and December 8, 2025.
  • Barnow and Associates, P.C. (Chicago) — soliciting affected patients for potential class-action representation.

Both firms typically file in the federal district where the defendant is headquartered or where the largest affected cohort resides; for Rockhill that would be W.D. Mo. (Kansas City) or D. Kan. (Overland Park / Kansas City, KS). Comparable OB-GYN breach litigation has resolved in the $900K to $2.4M range, though the reproductive-records overlay in Rockhill could push valuation higher.

What to do if you may be affected

This week:

  1. Place a free credit freeze at Equifax, Experian, and TransUnion. It takes about ten minutes per bureau and is the single highest-leverage protection against new-account fraud.
  2. Enroll in any complimentary credit monitoring offered in your notification letter. Use the enrollment code printed on the letter; do not let the deadline lapse.
  3. File IRS Form 14039 (Identity Theft Affidavit) if your letter lists your Social Security number as exposed. This blocks a fraudulent tax return being filed under your SSN.
  4. Call the dedicated line at 1-833-855-4208 (Mon to Fri, 8 a.m. to 8 p.m. EST) if you have not received a letter and believe you may be affected; the practice can confirm whether your records were involved.

This month:

  1. Review your Explanation of Benefits statements from your insurer for OB-GYN services you did not receive. Medical identity theft typically surfaces in EOBs weeks or months after the underlying fraud.
  2. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the demographic and insurance information already exposed in this breach is not continuously re-shared and resold by other entities downstream.
  3. Decide on legal posture. If you intend to participate in or opt out of any future class action, save your notification letter and call-center reference number. Either of the firms listed above will record your information at no cost to preserve the option.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.