Rural Health Services Data Breach (January 2025 Medusa Ransomware): 36,542 Affected at South Carolina FQHC, Notified June 2025
Rural Health Services, a federally qualified health center serving Aiken County, South Carolina, suffered a Medusa ransomware intrusion between January 15 and February 13, 2025 in which names, Social Security numbers, driver's license and passport numbers, financial account information, and detailed protected health information for 36,542 individuals were potentially exfiltrated. Individual notification letters were mailed in mid-June 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 15, 2025
Medusa unauthorized access to Rural Health Services network begins (per forensic review)
Feb 13, 2025
Intrusion detected; systems secured, law enforcement and third-party forensic firm engaged
Jun 12, 2025
HHS Office for Civil Rights breach filing submitted (36,542 affected; Hacking/IT Incident at Network Server)
Jun 13, 2025
Individual notification letters mailed; SC Department of Consumer Affairs filing reports 32,948 South Carolina residents affected
Jan 15, 2025
Medusa unauthorized access to Rural Health Services network begins (per forensic review)
Feb 13, 2025
Intrusion detected; systems secured, law enforcement and third-party forensic firm engaged
Jun 12, 2025
HHS Office for Civil Rights breach filing submitted (36,542 affected; Hacking/IT Incident at Network Server)
Jun 13, 2025
Individual notification letters mailed; SC Department of Consumer Affairs filing reports 32,948 South Carolina residents affected
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Rural Health Services, a federally qualified health center (FQHC) headquartered in Aiken, South Carolina, was compromised by the Medusa ransomware group between January 15 and February 13, 2025. The intrusion was detected on February 13, 2025, after roughly four weeks of undetected access. Forensic investigators concluded that files containing names paired with Social Security numbers, driver’s license numbers, passport numbers, financial account numbers, and detailed protected health information for 36,542 individuals may have been viewed or copied. Rural Health Services filed its HIPAA breach notification with the HHS Office for Civil Rights on June 12, 2025 and mailed individual notification letters on or about June 13, 2025. The South Carolina Department of Consumer Affairs filing reported 32,948 affected South Carolina residents.
Timeline
- January 15, 2025. Medusa gains unauthorized access to Rural Health Services’ network, according to the subsequent forensic review.
- February 13, 2025. Intrusion is detected. Rural Health Services secures its systems, notifies law enforcement, and engages a third-party cybersecurity firm to investigate.
- June 12, 2025. Rural Health Services files a HIPAA breach notification with the HHS Office for Civil Rights, reporting 36,542 affected individuals in a “Hacking/IT Incident” at a “Network Server.”
- On or about June 13, 2025. Individual notification letters are mailed to affected patients. State filings, including with the South Carolina Department of Consumer Affairs, report 32,948 South Carolina residents.
What was exposed
Per the notification letter, the data elements potentially exposed vary by individual and include name combined with one or more of:
- Date of birth
- Social Security number
- Driver’s license number
- Passport number
- Financial account number
- Medical history, mental and physical treatment information, diagnosis information, and prescription information
- Treating and referring physician details, patient number
- Medicare and Medicaid information
- Health insurance policy number, member ID, and group number
Medusa is a double-extortion group that publicly demanded a $200,000 Bitcoin ransom and listed Rural Health Services on its dark-web leak site, indicating exfiltration rather than mere encryption.
Sensitive-population considerations (FQHC, rural and underserved)
Rural Health Services operates as a federally qualified health center, the federal safety-net designation for providers that deliver primary care to medically underserved populations regardless of ability to pay. Its patient panel skews rural, lower-income, and disproportionately Medicaid-enrolled or uninsured. Several characteristics of this population raise the harm profile above a typical hospital-system disclosure:
- Passport-number exposure. Passport numbers are an unusual element for an FQHC patient record and suggest some files included immigration- or travel-related documentation. For patients whose status is sensitive, this category of exposure carries risks beyond financial identity theft.
- Medicaid and Medicare data. The exposed elements include Medicare and Medicaid identifiers, which are durable, hard to rotate, and useful for medical-identity fraud against public payers.
- Behavioral and mental-health PHI. FQHCs frequently integrate primary care with behavioral health. The notification explicitly references mental and physical treatment information, diagnosis information, and prescription information, categories with heightened sensitivity.
- Lower baseline access to monitoring. Lower-income and rural patients are less likely to already carry paid credit-monitoring or to have the time and broadband access to act quickly on the activation steps in a notification letter.
What Rural Health Services is offering
The notification letter directs affected individuals to a dedicated incident-response hotline established by Rural Health Services and references standard remediation resources. Specific terms of any complimentary identity-protection enrollment, including duration and provider, are described in the individual letter rather than restated here; consult the activation code and instructions in your letter.
Class-action posture
As of mid-May 2026, multiple plaintiffs’ firms have publicly opened investigations into the Rural Health Services breach, focused on the roughly four-week dwell time, the categories of data potentially exfiltrated, and the adequacy of the entity’s cybersecurity controls. No consolidated class-action complaint against Rural Health Services has been confirmed in public dockets as of the last update to this page; the firms are soliciting affected individuals to evaluate claims.
What to do
If you received a notification letter from Rural Health Services or believe you were a patient at one of its Aiken County locations during or before February 2025:
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against new-account identity theft.
- Activate any complimentary credit monitoring offered in your letter using the activation code provided. Keep the letter; it documents the specific data elements exposed for you.
- If your passport number was exposed, you can request a replacement passport from the U.S. Department of State; passport numbers are not routinely re-issued after a breach, so the decision depends on your travel patterns and risk tolerance.
- Watch for medical-identity misuse. Review Explanation of Benefits statements from Medicaid, Medicare, or any private insurer and request a copy of your medical record summary if you suspect treatment you did not receive.
- Request an IRS Identity Protection PIN. Tax-refund fraud is a common follow-on to Social Security number exposure.
- Be alert for targeted phishing referencing Rural Health Services, “Medusa,” or the breach response. Confirm any contact through the hotline listed in your letter rather than clicking links in unsolicited messages.
Sources
- HIPAA Journal - South Carolina Healthcare Providers Report Hacking Incidents
- BreachSense - Rural Health Services Data Breach
- SuspectFile - Ransomware Attack on Rural Health Services, Inc.: Medusa Threatens to Leak Sensitive Patient Data
- South Carolina Department of Consumer Affairs - Security Breach Notices
- ClaimDepot - Rural Health Services Data Breach Lawsuit Investigation
- HHS Office for Civil Rights Breach Portal
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal - South Carolina Healthcare Providers Report Hacking Incidents
- BreachSense - Rural Health Services Data Breach
- SuspectFile - Ransomware Attack on Rural Health Services, Inc.: Medusa Threatens to Leak Sensitive Patient Data
- South Carolina Department of Consumer Affairs - Security Breach Notices
- ClaimDepot - Rural Health Services Data Breach Lawsuit Investigation
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.