Wyandot Behavioral Health Network Data Breach 2025: 27,174 Kansas City Mental Health & SUD Patients Exposed. 42 CFR Part 2 Records. What To Do
Wyandot Behavioral Health Network (d/b/a Wyandot Center), the Kansas City, KS community mental health center serving Wyandot Center, PACES youth services, RSI crisis, and Kim Wilson Housing, disclosed in November 2025 a September 2025 network intrusion exposing names, Social Security numbers, diagnoses, prescriptions, and medical histories for 27,174 patients. Records include behavioral-health and SUD treatment protected under 42 CFR Part 2. Complimentary credit monitoring offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Sep 21, 2025
Unauthorized third party accessed Wyandot's network
Sep 22, 2025
Suspicious activity detected; third-party cybersecurity specialists engaged; law enforcement notified
Nov 5, 2025
Data review concluded; affected individuals and data types identified
Nov 20, 2025
Notice of Data Incident posted on Wyandot website; individual notifications begin
Nov 20, 2025
Filed with HHS OCR (27,174 individuals; Hacking/IT Incident, Network Server)
Sep 21, 2025
Unauthorized third party accessed Wyandot's network
Sep 22, 2025
Suspicious activity detected; third-party cybersecurity specialists engaged; law enforcement notified
Nov 5, 2025
Data review concluded; affected individuals and data types identified
Nov 20, 2025
Notice of Data Incident posted on Wyandot website; individual notifications begin
Nov 20, 2025
Filed with HHS OCR (27,174 individuals; Hacking/IT Incident, Network Server)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Wyandot Behavioral Health Network (d/b/a Wyandot Center) is a nonprofit community mental health center headquartered in Kansas City, Kansas. The network operates as a unified system of care comprising four interconnected organizations: Wyandot Center (adult outpatient counseling and psychiatric services), PACES (youth and adolescent mental health services), RSI (24/7 mental health and substance-use crisis intervention), and Kim Wilson Housing (supportive housing for individuals living with serious and persistent mental illness). Wyandot has served Wyandotte County for decades and employs more than 200 clinicians and staff.
On September 22, 2025, Wyandot detected suspicious activity on its network. Third-party cybersecurity specialists were engaged immediately, and law enforcement was notified. The forensic investigation determined that an unauthorized third party accessed portions of Wyandot’s network over a roughly 24-hour window between September 21 and September 22, 2025.
The data review concluded on November 5, 2025. Wyandot posted a Notice of Data Incident on its website on November 20, 2025, and began notifying affected individuals. The HHS OCR portal lists the incident as a Hacking/IT Incident involving a Network Server, with 27,174 individuals affected.
Timeline
- September 21, 2025 — Unauthorized third party accessed Wyandot’s network.
- September 22, 2025 — Suspicious activity detected; cybersecurity specialists engaged; law enforcement notified.
- November 5, 2025 — Data review concluded; affected individuals and data types identified.
- November 20, 2025 — Notice of Data Incident posted on Wyandot’s website; individual notifications begin; filed with HHS OCR (27,174 individuals).
What was exposed
The compromised information includes:
- Full name
- Address
- Date of birth
- Social Security number
- Patient ID and medical record number
- Health insurance information
- Service date
- Diagnosis and condition information
- Provider / clinician name
- Prescription / medication information
- Medical history (behavioral-health and SUD treatment records)
Sensitive population: behavioral health and SUD treatment records under 42 CFR Part 2
Wyandot is not an ordinary general-hospital records breach. The affected individuals are people who sought care for mental illness, addiction, trauma, and behavioral-health crises. Patients include adults in outpatient psychiatric treatment, children and adolescents served by PACES, and individuals who called the RSI crisis line for mental-health or substance-use emergencies. RSI and the broader Wyandot system provide substance-use disorder (SUD) treatment, which means an undetermined portion of the stolen records is covered by 42 CFR Part 2 in addition to HIPAA.
Part 2 imposes stricter consent and re-disclosure requirements than HIPAA alone. Patients can sue for unauthorized re-disclosure, and OCR began enforcing Part 2 under a unified rule effective February 16, 2026. The Wyandot notice does not explicitly invoke Part 2 by name, which is likely to become a focal point in litigation if the breached datasets are shown to include SUD treatment records.
The combination of full SSN with a recorded mental-health or SUD diagnosis is the most damaging pairing in the HIPAA-breach catalog. It enables identity theft and creates a permanent record that can be re-disclosed to employers, insurers, custody opponents, immigration adjudicators, and data brokers.
What Wyandot is offering
- Complimentary credit monitoring and identity theft protection services (duration not specified in Wyandot’s public notice; check your letter).
- Dedicated call center: 833-929-2258 (Monday-Friday, 8 a.m. to 8 p.m. ET).
- Wyandot states it has implemented additional security measures and is reviewing its policies and procedures related to data protection.
Class action exposure
At least four plaintiffs’ firms are publicly investigating Wyandot for potential class-action claims as of mid-2026: Strauss Borrelli PLLC, Woods Lonergan PLLC, Ellzey, Kherkher, Sanford & Montgomery LLP, and Kansas City-based McShane & Brady LLC. Negligence, breach of fiduciary duty, breach of implied contract, and unjust enrichment theories are typical for breaches of this profile. The behavioral-health and SUD treatment context elevates damages potential because of the stigma associated with re-disclosure.
What to do if you received a notice
- Enroll in the credit monitoring through the activation code in your letter as soon as possible.
- Place free credit freezes at Equifax, Experian, and TransUnion. Full SSN is in scope.
- File IRS Form 14039 (Identity Theft Affidavit) preemptively if you have not already.
- Exercise 42 CFR Part 2 rights if you received SUD treatment from Wyandot, RSI, or any affiliated program. Part 2 gives you stronger redisclosure restrictions than HIPAA alone, and unauthorized re-disclosure of Part 2 records is independently actionable.
- Document any unauthorized re-disclosure of your behavioral-health or SUD treatment records by insurers, employers, or downstream entities. Preserve evidence for both the OCR complaint and any class-action claim.
- Stop the ongoing flow of your behavioral-health data. HealthConsent files HIPAA restriction requests, 42 CFR Part 2 redisclosure restrictions, and state-law deletion requests so the mental-health and substance-use treatment data exposed in this breach is not continuously re-shared.
Sources
- HIPAA Journal: Kansas City Behavioral Health Center Discloses September 2025 Data Breach
- Woods Lonergan PLLC: Wyandot Center Data Breach Investigation
- Strauss Borrelli PLLC: Wyandot Center Data Breach Investigation
- ClaimDepot: Wyandot Center Data Breach
- EKSM: Wyandot Behavioral Health Network Announces Data Breach
- McShane & Brady: HealthCare Interactive, Wyandot Center Announce Breaches
- Wyandot Behavioral Health Network
- HHS OCR Breach Portal
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: Kansas City Behavioral Health Center Discloses September 2025 Data Breach
- Woods Lonergan PLLC: Wyandot Center Data Breach Investigation
- Strauss Borrelli PLLC: Wyandot Center Data Breach Investigation
- ClaimDepot: Wyandot Center Data Breach
- EKSM: Wyandot Behavioral Health Network Announces Data Breach
- McShane & Brady: HealthCare Interactive, Wyandot Center Announce Breaches
- Wyandot Behavioral Health Network
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.