Active breach tracker South Carolina Disclosed June 12, 2025

Rural Health Services Data Breach (January 2025 Medusa Ransomware): 36,542 Affected at South Carolina FQHC, Notified June 2025

Rural Health Services, a federally qualified health center serving Aiken County, South Carolina, suffered a Medusa ransomware intrusion between January 15 and February 13, 2025 in which names, Social Security numbers, driver's license and passport numbers, financial account information, and detailed protected health information for 36,542 individuals were potentially exfiltrated. Individual notification letters were mailed in mid-June 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 15, 2025

Medusa unauthorized access to Rural Health Services network begins (per forensic review)

Feb 13, 2025

Intrusion detected; systems secured, law enforcement and third-party forensic firm engaged

Jun 12, 2025

HHS Office for Civil Rights breach filing submitted (36,542 affected; Hacking/IT Incident at Network Server)

Jun 13, 2025

Individual notification letters mailed; SC Department of Consumer Affairs filing reports 32,948 South Carolina residents affected

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number Passport number

02

Health records

Don't expire and can't be reissued

Mental and physical treatment information Diagnosis information Prescription information

03

Contact & insurance

Phishing + targeted scams

Full name Financial account number Medical history Treating and referring physician details Patient number Medicare and Medicaid information Health insurance policy number, member ID, and group number
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Rural Health Services, a federally qualified health center (FQHC) headquartered in Aiken, South Carolina, was compromised by the Medusa ransomware group between January 15 and February 13, 2025. The intrusion was detected on February 13, 2025, after roughly four weeks of undetected access. Forensic investigators concluded that files containing names paired with Social Security numbers, driver’s license numbers, passport numbers, financial account numbers, and detailed protected health information for 36,542 individuals may have been viewed or copied. Rural Health Services filed its HIPAA breach notification with the HHS Office for Civil Rights on June 12, 2025 and mailed individual notification letters on or about June 13, 2025. The South Carolina Department of Consumer Affairs filing reported 32,948 affected South Carolina residents.

Timeline

  • January 15, 2025. Medusa gains unauthorized access to Rural Health Services’ network, according to the subsequent forensic review.
  • February 13, 2025. Intrusion is detected. Rural Health Services secures its systems, notifies law enforcement, and engages a third-party cybersecurity firm to investigate.
  • June 12, 2025. Rural Health Services files a HIPAA breach notification with the HHS Office for Civil Rights, reporting 36,542 affected individuals in a “Hacking/IT Incident” at a “Network Server.”
  • On or about June 13, 2025. Individual notification letters are mailed to affected patients. State filings, including with the South Carolina Department of Consumer Affairs, report 32,948 South Carolina residents.

What was exposed

Per the notification letter, the data elements potentially exposed vary by individual and include name combined with one or more of:

  • Date of birth
  • Social Security number
  • Driver’s license number
  • Passport number
  • Financial account number
  • Medical history, mental and physical treatment information, diagnosis information, and prescription information
  • Treating and referring physician details, patient number
  • Medicare and Medicaid information
  • Health insurance policy number, member ID, and group number

Medusa is a double-extortion group that publicly demanded a $200,000 Bitcoin ransom and listed Rural Health Services on its dark-web leak site, indicating exfiltration rather than mere encryption.

Sensitive-population considerations (FQHC, rural and underserved)

Rural Health Services operates as a federally qualified health center, the federal safety-net designation for providers that deliver primary care to medically underserved populations regardless of ability to pay. Its patient panel skews rural, lower-income, and disproportionately Medicaid-enrolled or uninsured. Several characteristics of this population raise the harm profile above a typical hospital-system disclosure:

  • Passport-number exposure. Passport numbers are an unusual element for an FQHC patient record and suggest some files included immigration- or travel-related documentation. For patients whose status is sensitive, this category of exposure carries risks beyond financial identity theft.
  • Medicaid and Medicare data. The exposed elements include Medicare and Medicaid identifiers, which are durable, hard to rotate, and useful for medical-identity fraud against public payers.
  • Behavioral and mental-health PHI. FQHCs frequently integrate primary care with behavioral health. The notification explicitly references mental and physical treatment information, diagnosis information, and prescription information, categories with heightened sensitivity.
  • Lower baseline access to monitoring. Lower-income and rural patients are less likely to already carry paid credit-monitoring or to have the time and broadband access to act quickly on the activation steps in a notification letter.

What Rural Health Services is offering

The notification letter directs affected individuals to a dedicated incident-response hotline established by Rural Health Services and references standard remediation resources. Specific terms of any complimentary identity-protection enrollment, including duration and provider, are described in the individual letter rather than restated here; consult the activation code and instructions in your letter.

Class-action posture

As of mid-May 2026, multiple plaintiffs’ firms have publicly opened investigations into the Rural Health Services breach, focused on the roughly four-week dwell time, the categories of data potentially exfiltrated, and the adequacy of the entity’s cybersecurity controls. No consolidated class-action complaint against Rural Health Services has been confirmed in public dockets as of the last update to this page; the firms are soliciting affected individuals to evaluate claims.

What to do

If you received a notification letter from Rural Health Services or believe you were a patient at one of its Aiken County locations during or before February 2025:

  • Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against new-account identity theft.
  • Activate any complimentary credit monitoring offered in your letter using the activation code provided. Keep the letter; it documents the specific data elements exposed for you.
  • If your passport number was exposed, you can request a replacement passport from the U.S. Department of State; passport numbers are not routinely re-issued after a breach, so the decision depends on your travel patterns and risk tolerance.
  • Watch for medical-identity misuse. Review Explanation of Benefits statements from Medicaid, Medicare, or any private insurer and request a copy of your medical record summary if you suspect treatment you did not receive.
  • Request an IRS Identity Protection PIN. Tax-refund fraud is a common follow-on to Social Security number exposure.
  • Be alert for targeted phishing referencing Rural Health Services, “Medusa,” or the breach response. Confirm any contact through the hotline listed in your letter rather than clicking links in unsolicited messages.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.