The Alabama mental health practice disclosed the incident to the Department of Health and Human Services (HHS).
Jefferson Blount St. Clair Mental Health Authority (JBS), recently reported a data breach estimated to impact 30,434 individuals. The incident was reported to the HHS on January 23rd, 2026 as a hacking breach against JBS’ network server.
In JBS’ notice, the organization said breached information may have included names, Social Security numbers, health insurance information, dates of birth, and medical information, including billing and claims information, as well as Medicare/Medicaid data.
JBS provided some details about the nature of the incident, stating that around November 25th, the mental health provider experienced a ransomware attack. The incident was discovered on the same day, but the files accessed by the attacker dated as far back as 2011. Files involved were from both patients and employees.
It’s believed that the ransomware group responsible is Medusa, a threat group believed to be associated with Russia. CISA released a threat advisory against the group in March of 2025, noting that the group appears to operate using Ransomware-as-a-Service and has carried out over 300 attacks. According to Ransomware Look, a ransomware victim tracker, Medusa stole 168.6 gigabytes of data from JBS.
Ransomware attacks can leave lingering concerns and fallout for victims. For instance, we don’t know if JBS attempted to negotiate with Medusa to have the data deleted. We also don’t know if Medusa plans to sell the information on the dark web.
Mental health data, like what JBS holds, can be particularly personal; many individuals avoid sharing their mental health conditions to avoid stereotypes or generalizations. While JBS is one of the more recent victims, studies now show that ransomware is one of the leading causes of data breaches. It’s believed that at least 375 million individuals have been impacted. Outside of the impact on victims–like fraud or identity theft–organizations face increased costs associated with lawsuits, increased administrative burdens, and more. Recent estimates show a ransomware breach can cost an organization, on average, over $5 million. These reports show that preventing breaches is critical for an organization’s financial health, as well as the safety of their patient or employees’ data.
RaaS is a service model where threat actors sell ransomware to other malicious groups. The service can allow individuals with more limited coding and software skills to still victimize organizations.
Some of the accessed records at JBS were approximately 15 years old. HIPAA does not have any requirements for how long an organization needs to store data, but it should generally be disposed of when it is no longer needed. Organizations may be beholden to other requirements from Medicaid or the state, but most only require data to be stored for up to 10 years. Safely destroying data when it is no longer needed is a key strategy to mitigate the impact of a data breach when it takes place.