Active breach tracker Kansas City, KS Disclosed November 20, 2025

Wyandot Behavioral Health Network Data Breach 2025: 27,174 Kansas City Mental Health & SUD Patients Exposed. 42 CFR Part 2 Records. What To Do

Wyandot Behavioral Health Network (d/b/a Wyandot Center), the Kansas City, KS community mental health center serving Wyandot Center, PACES youth services, RSI crisis, and Kim Wilson Housing, disclosed in November 2025 a September 2025 network intrusion exposing names, Social Security numbers, diagnoses, prescriptions, and medical histories for 27,174 patients. Records include behavioral-health and SUD treatment protected under 42 CFR Part 2. Complimentary credit monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 21, 2025

Unauthorized third party accessed Wyandot's network

Sep 22, 2025

Suspicious activity detected; third-party cybersecurity specialists engaged; law enforcement notified

Nov 5, 2025

Data review concluded; affected individuals and data types identified

Nov 20, 2025

Notice of Data Incident posted on Wyandot website; individual notifications begin

Nov 20, 2025

Filed with HHS OCR (27,174 individuals; Hacking/IT Incident, Network Server)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical record number Diagnosis / condition information Prescription / medication information Medical history (behavioral-health and SUD treatment, 42 CFR Part 2 protected)

03

Contact & insurance

Phishing + targeted scams

Full name Address Patient ID Health insurance information Service date Provider / clinician name

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (publicly investigating) Woods Lonergan PLLC (publicly investigating) Ellzey, Kherkher, Sanford & Montgomery LLP (publicly investigating) McShane & Brady LLC (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Wyandot Behavioral Health Network (d/b/a Wyandot Center) is a nonprofit community mental health center headquartered in Kansas City, Kansas. The network operates as a unified system of care comprising four interconnected organizations: Wyandot Center (adult outpatient counseling and psychiatric services), PACES (youth and adolescent mental health services), RSI (24/7 mental health and substance-use crisis intervention), and Kim Wilson Housing (supportive housing for individuals living with serious and persistent mental illness). Wyandot has served Wyandotte County for decades and employs more than 200 clinicians and staff.

On September 22, 2025, Wyandot detected suspicious activity on its network. Third-party cybersecurity specialists were engaged immediately, and law enforcement was notified. The forensic investigation determined that an unauthorized third party accessed portions of Wyandot’s network over a roughly 24-hour window between September 21 and September 22, 2025.

The data review concluded on November 5, 2025. Wyandot posted a Notice of Data Incident on its website on November 20, 2025, and began notifying affected individuals. The HHS OCR portal lists the incident as a Hacking/IT Incident involving a Network Server, with 27,174 individuals affected.

Timeline

  • September 21, 2025 — Unauthorized third party accessed Wyandot’s network.
  • September 22, 2025 — Suspicious activity detected; cybersecurity specialists engaged; law enforcement notified.
  • November 5, 2025 — Data review concluded; affected individuals and data types identified.
  • November 20, 2025 — Notice of Data Incident posted on Wyandot’s website; individual notifications begin; filed with HHS OCR (27,174 individuals).

What was exposed

The compromised information includes:

  • Full name
  • Address
  • Date of birth
  • Social Security number
  • Patient ID and medical record number
  • Health insurance information
  • Service date
  • Diagnosis and condition information
  • Provider / clinician name
  • Prescription / medication information
  • Medical history (behavioral-health and SUD treatment records)

Sensitive population: behavioral health and SUD treatment records under 42 CFR Part 2

Wyandot is not an ordinary general-hospital records breach. The affected individuals are people who sought care for mental illness, addiction, trauma, and behavioral-health crises. Patients include adults in outpatient psychiatric treatment, children and adolescents served by PACES, and individuals who called the RSI crisis line for mental-health or substance-use emergencies. RSI and the broader Wyandot system provide substance-use disorder (SUD) treatment, which means an undetermined portion of the stolen records is covered by 42 CFR Part 2 in addition to HIPAA.

Part 2 imposes stricter consent and re-disclosure requirements than HIPAA alone. Patients can sue for unauthorized re-disclosure, and OCR began enforcing Part 2 under a unified rule effective February 16, 2026. The Wyandot notice does not explicitly invoke Part 2 by name, which is likely to become a focal point in litigation if the breached datasets are shown to include SUD treatment records.

The combination of full SSN with a recorded mental-health or SUD diagnosis is the most damaging pairing in the HIPAA-breach catalog. It enables identity theft and creates a permanent record that can be re-disclosed to employers, insurers, custody opponents, immigration adjudicators, and data brokers.

What Wyandot is offering

  • Complimentary credit monitoring and identity theft protection services (duration not specified in Wyandot’s public notice; check your letter).
  • Dedicated call center: 833-929-2258 (Monday-Friday, 8 a.m. to 8 p.m. ET).
  • Wyandot states it has implemented additional security measures and is reviewing its policies and procedures related to data protection.

Class action exposure

At least four plaintiffs’ firms are publicly investigating Wyandot for potential class-action claims as of mid-2026: Strauss Borrelli PLLC, Woods Lonergan PLLC, Ellzey, Kherkher, Sanford & Montgomery LLP, and Kansas City-based McShane & Brady LLC. Negligence, breach of fiduciary duty, breach of implied contract, and unjust enrichment theories are typical for breaches of this profile. The behavioral-health and SUD treatment context elevates damages potential because of the stigma associated with re-disclosure.

What to do if you received a notice

  1. Enroll in the credit monitoring through the activation code in your letter as soon as possible.
  2. Place free credit freezes at Equifax, Experian, and TransUnion. Full SSN is in scope.
  3. File IRS Form 14039 (Identity Theft Affidavit) preemptively if you have not already.
  4. Exercise 42 CFR Part 2 rights if you received SUD treatment from Wyandot, RSI, or any affiliated program. Part 2 gives you stronger redisclosure restrictions than HIPAA alone, and unauthorized re-disclosure of Part 2 records is independently actionable.
  5. Document any unauthorized re-disclosure of your behavioral-health or SUD treatment records by insurers, employers, or downstream entities. Preserve evidence for both the OCR complaint and any class-action claim.
  6. Stop the ongoing flow of your behavioral-health data. HealthConsent files HIPAA restriction requests, 42 CFR Part 2 redisclosure restrictions, and state-law deletion requests so the mental-health and substance-use treatment data exposed in this breach is not continuously re-shared.

Sources

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.