Oglethorpe, Inc. (Oglethorpe), a Florida-based network of mental health and addiction recovery treatment providers, recently disclosed a major healthcare data breach.

The breach, involving unauthorized access to patient data, affects more than 92,000 individuals across the organization’s facilities in Florida, Louisiana, and Ohio.

Timeline and Scope

Oglethorpe reported a cybersecurity incident that started on May 15, 2025, when unauthorized individuals first accessed its network. The intrusion continued until June 6, 2025, when it was detected. The cyberattack briefly rendered the network inoperable.

Third-party cybersecurity experts were immediately brought in to contain, investigate, and remediate the security breach. The investigation, which concluded on September 16, 2025, confirmed that protected health information (PHI) was exfiltrated from the network.

The follow-up review of the compromised files was completed on October 23, 2025, revealing that the stolen data included highly sensitive personal and medical information.

Compromised Patient Data

The protected health information that may have been compromised in the data theft includes:

• First and last names
• Birth dates
• Social Security numbers
• Driver’s license numbers
• Medical information

Oglethorpe describes the incident on its website as follows:

“Through its ongoing investigation, Oglethorpe recently learned that the unauthorized party may have accessed sensitive information on Oglethorpe’s systems. As the investigation remains ongoing, the categories of information which may have been exposed have not been determined nor has an impacted population been identified. Upon completion of the investigation, Oglethorpe will update this notice with newly available information.”

Oglethorpe has reported the incident to the state of Maine. It may have reported the breach to the U.S. Department of Health and Human Services (HHS) breach portal, but the federal government shutdown has prevented updates to the portal since late September.

The company has also notified the FBI and is cooperating with that investigation.

Oglethorpe’s Response and Remediation

In response to the breach, Oglethorpe says that it has taken several steps:

• System Overhaul: All affected systems were wiped and rebuilt, with data restored from backups.
• Security Enhancements: Measures have been implemented to strengthen network security, including reviewing and adjusting policies, procedures, and security software to better protect and manage data.
• Credit Protection: Although Oglethorpe has found no evidence indicating the misuse of the compromised information, it is offering affected individuals 12 months of complimentary credit monitoring, credit report, and credit score services to guard against identity theft and fraud.

Investigations and Potential Lawsuits

Oglethorpe faces several challenges ahead. It will conclude its own investigation, cooperate with law enforcement’s investigation, and will be investigated by HHS’ Office for Civil Rights (OCR), which enforces HIPAA.

Given that large health data breaches often attract class action lawsuits, it is not surprising that several law firms are already investigating the Oglethorpe incident. The law firms are advertising online for potential plaintiffs to join a lawsuit against Oglethorpe for breach of privacy.

Behavioral Health Data is Sensitive

All patient information must be safeguarded against theft because privacy and trust are the foundation of quality healthcare. Moreover, protecting patient privacy is required by HIPAA, the Health Insurance Portability and Accountability Act.

However, behavioral health data tends to be more sensitive because of the social stigma associated with mental health treatment, especially for substance use disorders like addiction.

The Oglethorpe incident is a reminder of the unique risks linked to breaches involving sensitive health data.

The Key Takeaway is to do a HIPAA Risk Analysis

Not many details are known about what happened at Oglethorpe. A central question in an OCR investigation —and in any civil lawsuit — will be whether the company used strong cybersecurity measures to protect patient data. What happened before the breach, and did Oglethorpe do enough to safeguard the sensitive information in its care?

All healthcare providers must have HIPAA policies and procedures in place, train their workforce, and conduct a thorough HIPAA risk analysis.

OCR has emphasized the importance of risk analysis time and time again. It is the single most important task of a HIPAA compliance program: to analyze where and how patient data is stored and transmitted; to ensure that business associates comply with HIPAA; to identify the specific threats and vulnerabilities to their patient data; and to implement safeguards to keep it secure.

The safeguards required under HIPAA serve as a blueprint for preventing data breaches and protecting patient privacy. You can do more today to strengthen your cybersecurity posture and avoid a breach and the costly aftermath of investigations and lawsuits.