Counseling Center of Wayne and Holmes reports breach affecting 83K

A nonprofit mental health provider in Ohio disclosed a cybersecurity incident involving both protected health and personal information.

What happened

The Counseling Center of Wayne and Holmes Counties, a nonprofit mental health provider in Ohio, reported a data breach after detecting suspicious activity on March 3, 2025. A public notice states that an unauthorized party accessed one of its servers on March 2, 2025, and removed sensitive information before the incident was contained. A forensic investigation found that both personally identifiable information, meaning data that can identify someone, such as a name or Social Security number, and protected health information, which includes medical and treatment details, were accessed. Exposed data may include names, dates of birth, Social Security numbers, driver’s license or state ID numbers, financial account details, health insurance information, medical conditions, provider names, medical record numbers, treatment costs, and diagnosis or treatment information.

The breach affects 83,354 individuals nationwide and was reported to state regulators on February 9, 2026, with written notices sent to affected individuals.

Going deeper

The breach exposed both personally identifiable information and protected health information, increasing the risk to affected individuals. When Social Security numbers, financial account details, and treatment records are accessed together, attackers gain identity data and context that can be used for medical identity fraud, insurance misuse, or targeted phishing that references real care history. Suspicious activity was identified in March 2025, but reporting to state regulators did not occur until February 2026, a delay that can attract scrutiny, particularly in healthcare, where forensic investigations are required to determine what data was taken. Behavioral health providers also face added sensitivity because records may contain diagnosis details, treatment notes, and provider information that patients expect to remain private, meaning the impact can extend beyond financial harm into long-term privacy consequences.

What was said

In its public notice, the Counseling Center said, “We take the privacy and security of the information in our care very seriously,” and stated that it promptly launched an investigation with the help of third party cybersecurity specialists to determine the scope of the incident. The organization advised affected individuals to review financial account statements and monitor free credit reports for suspicious activity, and to consider placing a fraud alert or security freeze with the major credit bureaus if they believe their information was misused. Those whose health insurance details may have been involved were encouraged to check explanations of benefits statements and contact their insurer about unfamiliar services or charges. The incident was also reported to state regulators, including the Maine Attorney General and the Massachusetts Office of Consumer Affairs and Business Regulation.

In the know

A 2024 study titled Cybersecurity: a critical priority for digital mental health, published in the Journal of Medical Internet Research, found a “surge in the supply and demand of digital mental health support services,” alongside “high-profile cyberattacks specifically targeting mental health and behavioral services.” The researchers warned that breaches involving mental health data can be “especially devastating to vulnerable people” because of the sensitivity of diagnoses, treatment histories, and personal circumstances. Unlike many other healthcare records, mental health information can remain relevant for decades, creating long-term privacy and safety risks for patients and for families and caregivers.

The big picture

The average cost of a healthcare data breach has climbed to $11 million, marking the highest average loss of any industry for 14 straight years. Beyond financial damage, federal officials describe these incidents as a "direct and significant threat to patient safety" because exposure of treatment and diagnosis records can disrupt care and erode trust, particularly in behavioral health settings where confidentiality is central to the provider-patient relationship. U.S. Department of Health and Human Services Deputy Secretary Andrea Palm has warned that breaches weaken confidence in the healthcare system, while HHS Office for Civil Rights Director Melanie Fontes Rainer has said many organizations discover security gaps only after a serious incident, describing “confidence without clarity” as a risky stance amid escalating cyberattacks.

FAQs

Why are mental health records considered particularly sensitive in a breach?

Mental health records often contain detailed diagnostic information, therapy notes, medication history, and treatment plans, which may create reputational or personal harm beyond financial identity theft risks.

What is the difference between PII and PHI in this context?

Personally identifiable information refers to data such as Social Security numbers and dates of birth that can identify an individual, while protected health information includes medical details linked to a person’s identity and is regulated under federal healthcare privacy law.

Why are breaches reported to multiple state regulators?

State laws require organizations to notify regulators when residents of those states are affected, even if the organization operates elsewhere. Multistate reporting obligations are common in healthcare breaches.

What is medical identity theft?

Medical identity theft occurs when someone uses another person’s identity to obtain healthcare services or submit fraudulent insurance claims, potentially altering medical records or generating unexpected bills.

Does reporting a breach mean the organization violated HIPAA?

Breach notification does not automatically mean a regulatory violation occurred. Federal regulators assess whether reasonable safeguards were in place and whether the organization met its obligations under healthcare privacy and security rules.