Southwest C.A.R.E. Center Data Breach 2025: 21,866 Affected · Medusa Ransomware · Santa Fe HIV/STI & LGBTQ+ Care Provider. Class Action Filed.
Southwest C.A.R.E. Center, a Santa Fe nonprofit specializing in HIV, Hepatitis C, STI, and LGBTQ+ health care, filed a HIPAA breach notification with HHS OCR on October 03, 2025, reporting 21,866 affected individuals after a Hacking/IT Incident at Network Server. The Medusa ransomware group claimed responsibility and posted 143.9 GB of exfiltrated data on its dark-web leak site. A class-action lawsuit has been filed in New Mexico's First Judicial District Court in Santa Fe.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jun 3, 2025
Suspicious activity detected on Southwest C.A.R.E. Center systems; forensic specialists engaged
Jun 3, 2025
Attacker gained access
Jun 27, 2025
Medusa ransomware group claims the attack on its Tor leak site, asserting 143.9 GB of exfiltrated data and threatening publication
Oct 3, 2025
Breach reported to HHS Office for Civil Rights (Hacking/IT Incident, Network Server, 21,866 individuals affected, Healthcare Provider)
Dec 18, 2025
Investigation determines an unauthorized third party may have acquired sensitive personal information including names, personal information, and PHI; written notice issued to impacted individuals
Feb 26, 2026
Class-action complaint filed in the First Judicial District Court of New Mexico (Santa Fe County) alleging failure to safeguard computer systems and patient data
Jun 3, 2025
Suspicious activity detected on Southwest C.A.R.E. Center systems; forensic specialists engaged
Jun 3, 2025
Attacker gained access
Jun 27, 2025
Medusa ransomware group claims the attack on its Tor leak site, asserting 143.9 GB of exfiltrated data and threatening publication
Oct 3, 2025
Breach reported to HHS Office for Civil Rights (Hacking/IT Incident, Network Server, 21,866 individuals affected, Healthcare Provider)
Dec 18, 2025
Investigation determines an unauthorized third party may have acquired sensitive personal information including names, personal information, and PHI; written notice issued to impacted individuals
Feb 26, 2026
Class-action complaint filed in the First Judicial District Court of New Mexico (Santa Fe County) alleging failure to safeguard computer systems and patient data
Data exposed
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Southwest C.A.R.E. Center, a Santa Fe nonprofit healthcare provider that has served northern New Mexico since 1996 and is the region’s largest provider of HIV and Hepatitis C treatment, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on October 03, 2025, reporting 21,866 affected individuals in a Hacking/IT Incident at Network Server. The Medusa ransomware group has publicly claimed responsibility for the attack and posted the organization on its Tor-based data-leak site, asserting it had obtained 143.9 GB of data. A class-action lawsuit has since been filed in New Mexico’s First Judicial District Court in Santa Fe.
This is one of the more sensitive 2025 healthcare filings on the federal portal because of who the patient population is. Southwest C.A.R.E. Center’s clinical scope is dominated by HIV, Hepatitis C, sexually transmitted infection care, and primary and behavioral-health services aimed at LGBTQ+ New Mexicans — categories of records that, if disclosed, carry real-world consequences beyond the standard credit-and-identity profile.
Timeline
- June 3, 2025 — Suspicious activity detected. Southwest C.A.R.E. Center identifies unusual activity on its systems and engages outside forensic specialists to secure the environment and assess scope.
- June 27, 2025 — Medusa leak-site posting. The Medusa ransomware-as-a-service group publishes Southwest CARE Center on its Tor data-leak site, claiming 143.9 GB of exfiltrated data and threatening publication within roughly 11–12 days absent payment. The posting is indexed by Ransomware.live and RedPacket Security.
- October 3, 2025 — HHS OCR filing. Southwest C.A.R.E. Center reports the incident to the federal regulator. The portal entry records 21,866 affected, “Hacking/IT Incident,” location of breached PHI “Network Server,” and covered entity type “Healthcare Provider.”
- December 18, 2025 — Investigation conclusion and notice. The investigation concludes that an unauthorized third party may have acquired sensitive personal information, including first and last names, other personal information, and protected health information. Written notice is provided to impacted individuals; a substitute notice is also published on the organization’s website. Affected individuals are offered complimentary credit monitoring and identity-theft protection services for twelve months and a dedicated call center at 1-833-303-5159.
- Early 2026 — Class action filed. A group of affected patients files a class-action complaint in the First Judicial District Court of New Mexico (Santa Fe County), alleging the organization “failed to properly safeguard its computer systems and patient data” and that the breach materially increases plaintiffs’ risk of identity theft and misuse. Southwest C.A.R.E. Center’s chief financial officer, Jason Sanchez, has declined to comment on the matter due to pending litigation, per the Santa Fe New Mexican.
The gap between detection in June 2025 and the OCR portal filing in October 2025 is consistent with HHS’s 60-day reporting clock running from the date the entity determined that protected health information was reasonably likely to have been acquired, not from the date suspicious activity was first observed.
What was exposed
The substitute notice describes the exposure in regulatory-category terms rather than as an itemized data-element inventory. Per the notice and HIPAA Journal’s summary, the categories include:
- First and last names
- Other personal information (specific elements not enumerated in the public notice)
- Protected health information (PHI)
The federal portal entry records the breach location as “Network Server,” the standard OCR classification for hacking incidents in which an attacker accessed a server hosting patient records rather than email, paper, or a portable device. Medusa’s leak-site post asserts 143.9 GB of data was exfiltrated; that volume, if accurate, would exceed what a 21,866-record patient roster of basic demographics alone would account for and is consistent with the exfiltration of clinical files, imaging or PDF artifacts, and operational records in addition to the demographic roster.
Affected individuals should treat the individual notification letter as authoritative for the specific data elements exposed for their record. The letter, not the OCR portal entry or the substitute notice, will list what was exposed for you.
Why this breach is unusually sensitive
Southwest C.A.R.E. Center’s clinical profile makes this incident materially different from a generic healthcare hacking event:
- HIV status and HIV treatment records. The organization is the largest HIV treatment provider in northern New Mexico. HIV status remains subject to heightened confidentiality protections under federal law and most state statutes, and unauthorized disclosure can carry employment, housing, insurance, immigration, custody, and personal-relationship consequences.
- STI testing and treatment records. Sexually transmitted infection diagnoses and treatment are likewise records that patients reasonably expect to remain inside a closed clinical relationship.
- Hepatitis C care. Hepatitis C records can interact with insurance underwriting and employment decisions in ways patients are typically not consenting to when they seek treatment.
- LGBTQ+ primary and behavioral-health services. The organization is known across New Mexico as a clinical home for LGBTQ+ patients, including for gender-affirming care and behavioral-health support. Patient-identity information drawn from these records, if circulated, can be weaponized in jurisdictions and contexts where LGBTQ+ identity is contested.
The harm calculus for a Medusa-affiliated dark-web posting of records of this kind is not adequately captured by twelve months of credit monitoring. Patients in this population have specific reasons to consider, individually, whether to take additional protective steps beyond the standard playbook (see below).
What the entity is offering
Per the substitute notice and HIPAA Journal’s summary:
- Twelve months of complimentary credit monitoring
- Twelve months of complimentary identity-theft protection
- Dedicated incident call center: 1-833-303-5159
- Substitute notice posted on the organization’s website
The organization has stated that, as of the notice, it had not identified any misuse of patient data and has “reviewed and enhanced our technical safeguards to prevent a similar incident.” These statements are typical of post-incident notices and do not address the separate question of whether Medusa has already distributed or sold the exfiltrated data on dark-web channels prior to the organization’s detection of misuse.
Class-action posture
The matter has moved past the plaintiff-firm investigation stage into active litigation. A class-action complaint has been filed in the First Judicial District Court of New Mexico, Santa Fe County, alleging Southwest C.A.R.E. Center failed to properly safeguard its computer systems and patient data and that the breach materially increases plaintiffs’ risk of identity theft and misuse of their personal information. CFO Jason Sanchez has declined to comment on the litigation. The regulatory status on this page therefore reflects class-action-filed rather than OCR-open alone; the OCR matter itself remains an open federal regulatory record.
Affected individuals who wish to participate in or monitor the case should retain their individual notification letter. The letter is the primary documentary evidence of class membership if the case is certified.
What to do if you may be affected
The standard identity-protection playbook applies and should be done. For Southwest C.A.R.E. Center’s specific patient population, several additional considerations also apply.
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft.
- Enroll in the complimentary monitoring offered by Southwest C.A.R.E. Center. Use the enrollment information in your individual notification letter and the call center at 1-833-303-5159.
- Read your notification letter carefully when it arrives. It will list the specific data elements exposed for your record and the deadline to enroll in monitoring.
- Watch for medical identity theft. Review explanation-of-benefits statements from your health plan for prescriptions, lab work, or visits you did not receive. Specialty-medication fraud, including for HIV antiretroviral therapy and Hepatitis C direct-acting antiviral regimens, is a known monetization path for stolen specialty-clinic records.
- Decide individually how to handle disclosure-sensitive records. If your record at Southwest C.A.R.E. Center relates to HIV, STI, Hepatitis C, gender-affirming care, or behavioral-health treatment, consider whether to alert other parties who hold related records (your primary-care clinician, your pharmacy, your insurer) so that any anomaly downstream is flagged faster. Consider documenting your own timeline of when you learned of the breach and what you observed, in case it is needed later.
- Preserve your notification letter. It is evidence of class membership if the New Mexico class action is certified.
- Bookmark this page. We update it as the docket is publicly indexed, as the substitute notice is supplemented, and as additional state-AG filings or trade-press coverage become available.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach (21,866 affected, Hacking/IT Incident, Network Server, Healthcare Provider, filed October 03, 2025).
- HIPAA Journal — Center for Advanced Eye Care; Southwest C.A.R.E Center; Evergreen Healthcare Group Announce Data Breaches — confirms exposure categories (names, personal information, PHI), the December 18, 2025 investigation conclusion, the twelve-month credit-monitoring offer, Medusa’s claim of 143+ GB exfiltration, and the organization’s “no identified misuse” statement.
- Santa Fe New Mexican — Christus Health, Southwest Care Center warn patients of possible data security incidents — Santa Fe local-press coverage; confirms the class-action filing in the First Judicial District Court, the allegations, and CFO Jason Sanchez’s no-comment due to pending litigation.
- Ransomware.live — Victim profile: Southwest CARE Center (Medusa) — independent tracking of the Medusa leak-site posting; records 143.9 GB total data leakage and confirms the Santa Fe HIV/Hepatitis C clinical profile.
- RedPacket Security — [MEDUSA] Ransomware Victim: Southwest CARE Center — second independent indexing of the Medusa leak-site posting, cross-confirming threat-actor attribution.
- ClaimDepot — Southwest Care Center Data Breach Investigation — plaintiff-firm-facing investigation index page summarizing the 143.9 GB compromise and the breach particulars.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Center for Advanced Eye Care; Southwest C.A.R.E Center; Evergreen Healthcare Group Announce Data Breaches
- Santa Fe New Mexican — Christus Health, Southwest Care Center warn patients of possible data security incidents
- Ransomware.live — Victim profile: Southwest CARE Center (Medusa)
- RedPacket Security — [MEDUSA] Ransomware Victim: Southwest CARE Center
- ClaimDepot — Southwest Care Center Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.