Active breach tracker Mobile, AL Disclosed March 18, 2026

South Alabama Regional Planning Commission Data Breach 2026 (Qilin Ransomware): 3,043 Older Adults Exposed via Area Agency on Aging. What To Do

The South Alabama Regional Planning Commission (SARPC), the Area Agency on Aging serving Mobile, Baldwin, and Escambia counties, was attacked by the Qilin ransomware group in October 2025. 3,043 elderly individuals exposed. PHI from in-home assessments, SenioRx prescription assistance, and SHIP/Medicare counseling programs likely in scope. Limited public detail. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 2, 2025

Estimated intrusion (per Ransomware.live)

Oct 2, 2025

Breach detected

Oct 26, 2025

Qilin leak page published on dark-web leak site

Mar 18, 2026

HHS OCR filing

Data exposed

01

High-risk identity

Enables financial + identity theft

Likely home address, date of birth, Social Security number (per AAA program scope)

02

Health records

Don't expire and can't be reissued

Likely prescription information (SenioRx program)

03

Contact & insurance

Phishing + targeted scams

Full name (specific PHI categories not entity-confirmed) Likely Medicare / Medicaid IDs Likely in-home assessment data (functional / health status, ADLs) Likely caregiver contact information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

The South Alabama Regional Planning Commission (SARPC) is a public-sector regional planning authority founded in 1964 (as the Mobile Regional Planning Commission), expanded in 1968 to cover Mobile, Baldwin, and Escambia counties plus 29 municipalities. SARPC’s main office is at 110 Beauregard Street, GM&O Building, downtown Mobile.

SARPC is on the HHS OCR breach portal because it operates the regional Area Agency on Aging (AAA) under Older Americans Act Title III. The AAA assesses needs of older adults, distributes service funds, and holds PHI through:

  • In-home needs assessments of elderly clients
  • SenioRx prescription assistance program
  • SHIP/Medicare counseling outreach
  • Caregiver support services
  • Meals and transportation intake

Around October 2, 2025 (per Ransomware.live), the Qilin ransomware group accessed SARPC’s network. On October 26, 2025, Qilin published SARPC’s leak page on its dark-web leak site. SARPC filed with HHS OCR on March 18, 2026 — confirming 3,043 affected individuals.

The ~5-month gap between leak-site listing and OCR filing is typical for forensic investigation plus notification preparation. Qilin uses a double-extortion model (exfiltration plus encryption) and was the most active ransomware group in October 2025.

What was potentially exposed

SARPC has not enumerated specific PHI categories in publicly indexed sources (the sarpc.org site returned errors on mid-May 2026 fetches). Given the AAA program scope, the exposure likely includes:

  • Full name, home address, date of birth
  • Social Security number
  • Medicare / Medicaid IDs
  • In-home assessment data (functional and health status, activities of daily living)
  • Prescription information (SenioRx program)
  • Caregiver contact information

If you receive a SARPC notification letter, the letter itself will list the specific data elements involved in your case.

A particularly vulnerable population

SARPC’s AAA clients are predominantly age 60+. Secondary identity-theft harms compound underlying frailty in this population — many clients may have cognitive impairment, may not regularly check their credit, and may rely on family caregivers to manage administrative paperwork.

What SARPC is offering

As of mid-May 2026, no public notice letter has been located on sarpc.org (site errors on fetch). Credit monitoring vendor, call center, and enrollment details are not publicly visible.

Alabama’s Data Breach Notification Act of 2018 requires entity notification to the AG, but Alabama does not maintain a public-facing searchable breach portal.

If you are a SARPC AAA client or a family member, contact SARPC directly at the AAA office for guidance.

What to do

  1. Contact SARPC’s AAA office to ask whether they have mailed a notification letter and what monitoring is offered.
  2. Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
  3. If you are a family member or guardian of a SARPC AAA client, monitor their statements on their behalf — secondary identity theft against elderly clients is often noticed only by family members.
  4. Watch their Medicare Summary Notice for unfamiliar claims.
  5. Stop the ongoing flow of their aging-services data. HealthConsent files HIPAA restriction requests covering AAA, in-home assessment, and prescription-assistance pathways.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.