The Wisconsin behavioral health provider confirmed that patient information was taken during a network intrusion.
ARC Community Services, a Madison-based provider of behavioral health and substance use disorder services for women and children, disclosed that it experienced unauthorized access to its network beginning on November 4, 2024. According to a breach notification filed with the New Hampshire Attorney General, the incident involved data exfiltration during a ransomware attack. A subsequent review confirmed that exposed information included names, contact details, dates of birth, medical record numbers, health information, driver’s license numbers, and financial account data. Notification letters were sent to affected individuals in early December 2025 after completion of a detailed file review.
ARC said it detected suspicious activity and took systems offline to contain the incident before engaging external forensic specialists. The investigation confirmed that files were accessed and removed, although the organization reported no evidence of misuse at the time notifications were issued. Information provided to state regulators identified the attack as a ransomware incident linked to the INC Ransom group, and the organization remains listed on the group’s leak site. ARC explained that the notification was delayed due to the time required to identify affected individuals, confirm the specific data elements involved, and obtain accurate contact information. The breach was reported to federal regulators using a placeholder figure while the final impact assessment was completed.
ARC stated that it reviewed the exposed data in detail and offered affected individuals credit monitoring and identity protection services as a precaution. The organization said it has evaluated its existing security controls and is implementing additional safeguards to reduce the likelihood of similar incidents. Officials also noted that the investigation focused on accuracy to ensure notifications reflected verified findings rather than preliminary estimates.
Ransomware remains a persistent risk for behavioral health and community-based care providers, which often operate with constrained cybersecurity resources while managing highly sensitive clinical data. In its 2024 ransomware analysis, the Cybersecurity and Infrastructure Security Agency (CISA) reported that healthcare and social assistance organizations continue to be among the most frequently targeted sectors, with ransomware actors prioritizing data theft and extortion alongside system disruption. CISA noted that incidents in healthcare environments commonly involve prolonged investigation and recovery timelines, particularly when organizations must reconstruct user activity across large, shared file repositories to determine the scope of data access prior to disclosure.
No. Data theft increases risk, but misuse is not guaranteed, especially when attackers fail to monetize the data or when access is limited.
Providers must identify affected individuals, confirm what data was involved, and verify contact details before issuing legally required notices.
They store detailed clinical and identity data and often rely on smaller IT teams, which can limit detection and response capabilities.
They can review explanation of benefits statements, monitor financial accounts, consider credit monitoring, and remain cautious of unsolicited communications referencing care or services.