Counseling Center of Wayne and Holmes Counties Data Breach Exposes Sensitive Medical and Identity Information

A data breach involving the Counseling Center of Wayne and Holmes Counties (CCWHC) has compromised the sensitive personal and medical information of 83,354 individuals. 

For a behavioral health provider entrusted with deeply private details about patients’ lives, the incident raises serious concerns about cybersecurity safeguards and third-party vendor oversight.

When anyone collects your personal data and stores it, they owe you a duty of care to protect it, and when lax security measures leave the back door wide open for cyber criminals, that’s negligence.

If you received a notification letter from CCWHC, your personal, financial, and medical information may now be at risk. Below is what we know and what affected individuals should do next.

What Happened With the Counseling Center of Wayne and Holmes Counties' Data Breach?

According to disclosures, the breach began on March 2, 2025, when an unauthorized third party gained access to a single CCWHC server. On March 3, 2025, files were exfiltrated from that system.

The same day, CCWHC’s third-party service provider notified the organization about a cybersecurity incident that disrupted IT systems. An investigation was launched, outside data security experts were engaged, impacted systems were removed, and credentials were reset.

However, by the time containment steps were taken, sensitive files had already been copied.

While CCWHC has stated that remediation measures were implemented, the critical issue remains: highly sensitive behavioral health and identity information had already left the organization’s control.

What Information Was Exposed in the Counseling Center Data Breach?

The breach involves an extensive range of deeply personal data, far beyond just names and contact information.

According to the forensic investigation, the compromised information may include:

• Full names
• Dates of birth
• Social Security numbers
• Driver’s license or state ID numbers
• Health insurance information
• Medical record numbers
• Diagnoses
• Treatment information
• Treatment provider names
• Treatment cost information
• Medical condition information

For a counseling and behavioral health provider, this level of exposure is particularly alarming. Mental health treatment records and diagnoses are among the most private forms of personal data. When combined with Social Security numbers and insurance information, the risk multiplies.

Why This Breach Is Especially Concerning

1. Medical Identity Theft Risk

Medical identity theft occurs when someone uses another person’s health information to obtain services, prescriptions, or file fraudulent insurance claims. It can take months or even years for victims to detect, and untangling inaccurate medical records can be extremely difficult.

Unlike a credit card number, you cannot cancel your medical history.

2. Exposure of Behavioral Health Records

Mental health treatment information carries a unique sensitivity. Diagnoses, counseling notes, and treatment histories can be exploited for identity fraud, blackmail, reputational harm, or discrimination if improperly disclosed.

Healthcare providers have heightened legal obligations to protect this information under federal and state privacy laws.

3. Combination of Financial and Medical Data

When Social Security numbers are exposed alongside insurance information and treatment records, attackers gain a complete profile that can be used for:

• Filing fraudulent tax returns
• Opening lines of credit
• Submitting fake insurance claims
• Creating synthetic identities

This is not limited to short-term fraud. I can create long-term exposure risks.

The Role of Third-Party Vendors in the Data Breach

Notably, the breach was identified after CCWHC’s third-party service provider reported suspicious activity that disrupted IT systems.

Healthcare organizations increasingly rely on external vendors for IT infrastructure, hosting, and cybersecurity monitoring. But outsourcing does not eliminate responsibility.

Organizations that collect and store sensitive health data remain responsible for ensuring adequate monitoring of the data, prompt detection of security breaches, proper vendor oversight, strong access controls, and implementing segmented and encrypted systems.

When a third-party vendor is involved, it raises important questions. Were proper safeguards in place? How long did unauthorized access persist? Was data encrypted at rest? Were access logs reviewed in real time?

If attackers were able to access and exfiltrate files from a server within a single day, it suggests potential gaps in monitoring or defensive controls.

How Long Were Individuals at Risk?

The unauthorized access occurred on March 2, 2025, with file exfiltration on March 3, 2025. While the intrusion appears limited to that timeframe, the impact may last far longer.

Stolen data is often sold on dark web marketplaces, used months later to avoid detection, or even aggregated with data from other breaches.

Victims may not see fraudulent activity immediately.

What Should Affected Individuals Do?

If you received a breach notification letter from CCWHC, consider taking the following steps:

1. Monitor Financial Accounts Closely

Review bank, credit card, and insurance statements for unfamiliar charges or claims.

2. Place a Credit Freeze

A credit freeze prevents new accounts from being opened in your name.

3. Watch for Medical Billing Irregularities

Check explanation-of-benefits (EOB) statements for services you did not receive.

4. Consider Identity Theft Protection

If offered, review the terms carefully and understand how long monitoring lasts.

5. Preserve Documentation

Keep your breach notification letter and any correspondence. This documentation may be important if fraudulent activity occurs later.

Can I Take Legal Action for a Data Breach?

When healthcare providers fail to safeguard sensitive personal and medical information, affected individuals may have legal rights.

Potential claims in data breach cases may involve:

• Negligence
• Failure to implement reasonable cybersecurity measures
• Failure to adequately monitor systems
• Failure to supervise third-party vendors
• Violations of consumer protection laws

Courts increasingly recognize that exposure of Social Security numbers and medical records creates a substantial risk of future harm, even before fraud occurs.

Why Data Breaches at Healthcare Providers Are Different

A breach at a retail store might expose payment information. A breach at a counseling center exposes your identity and your private medical life.

That difference matters.

Behavioral health providers are entrusted with some of the most vulnerable and sensitive information a person can share. Patients often disclose trauma histories, mental health conditions, addiction struggles, and deeply personal circumstances.

When that trust is compromised, the consequences extend beyond financial harm.

Morgan & Morgan Can Help

If you were affected by the Counseling Center of Wayne and Holmes Counties data breach, you may be entitled to compensation for the time spent monitoring accounts, costs associated with identity protection, fraud-related losses, and even emotional distress in certain circumstances.

Morgan & Morgan’s data breach attorneys have experience holding organizations accountable when they fail to properly secure sensitive information.

We work on a contingency-fee basis. That means The Fee Is Free® unless we win, and anyone can have access to justice.

If you received a notice about this breach, you do not have to navigate the aftermath alone.

Contact Morgan & Morgan today for a free case evaluation and learn whether you may have a claim.