A cyberattack on Community Health Center, Inc. (CHC), a nonprofit health clinic in Connecticut, compromised the protected health information (PHI) of nearly 1.1 million individuals. CHC provides healthcare services for adults and children in medically underserved areas throughout Connecticut.

The clinic filed a report in Maine last week explaining the breach. The company said it detected suspicious activity on its network on January 2 and determined that a “skilled criminal hacker” had broken in to steal the health and personal information of more than a million patients. The hacker first breached the company’s network on October 14, 2024. The clinic also reported the breach in California.

Breach Notification is Underway

CHC is a federally qualified health center (FQHC) that provides primary health care, urgent care, dental care, school-based health care, substance abuse treatment, and behavioral health services for Connecticut residents. The clinic is sending breach notices to all affected individuals, including pediatric patients and their parents and guardians, stating that their information was potentially stolen in the cyberattack.

According to the clinic’s breach report to the California attorney general, in addition to current and former patients, CHC is sending an unspecified number of notification letters to the “next of kin” of deceased patients.

CHC said that the hacker may have accessed or taken personal information such as a patient’s name, date of birth, address, phone number, email, diagnoses, treatment details, test results, Social Security number, and health insurance information.

The nonprofit said the hacker did not delete or encrypt any of its data, and the incident did not affect its daily operations. No cybercriminal group has claimed responsibility to date.

In its letter to patients, CHC said:

“We’ve strengthened our security and added special software to watch for suspicious activity. We are also working to make sure your information stays safe in the future. We sincerely regret any inconvenience resulting from this criminal activity and thank you for your continued support of CHC.”

The clinic is offering affected individuals 24 months of complimentary identity and credit monitoring.

Largest HIPAA Breach So Far in 2025

As of today, the CHC breach has not yet been posted to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) Breach Reporting Tool website, which lists major health data breaches. The last report file date on the website was January 24. Once it is filed, it will be the largest breach reported so far in 2025 unless a larger one is reported during the last week.

Given the records of recent years, there will likely be many larger breaches as the year goes on.

HIPAA Security Rule Requires Vigilance

It’s too early to determine how the hacker entered the clinic’s network. CHC’s website notice and breach reports only say that it “noticed unusual activity in our computer system” and that “a skilled criminal hacker got into our system and took some data” without further explanation. We don’t know, for example, whether the hacker entered the system using email phishing, stolen credentials, or exploited software vulnerabilities. CHC did not mention ransomware.

Clinic Promises to Do Better in the Future

CHC may not have had robust cybersecurity protections in place. In its letter to affected individuals, the clinic mentioned strengthening cybersecurity and adding “special software to watch for suspicious activity.” A HIPAA investigation will look for the root cause to help the clinic ensure it is stronger in the future.

Prevent HIPAA Breaches Today

You can improve today by reviewing a list of key action steps. At the top of the list is the HIPAA Risk Analysis. Review and update your risk analysis today, and follow the Security Rule Checklist.

Don’t wait for a HIPAA breach to improve security.