Community Health Center, Inc. (CHC), a federally qualified health center in Connecticut, reported a significant data breach after a cyberattack on its systems. The breach, discovered on January 2, 2025, potentially exposed sensitive personal and health information of over 1 million individuals, including those who received COVID-19 tests or vaccines at CHC clinics. The breach was detected when unusual activity was identified within the system, and cybersecurity experts quickly responded to mitigate the situation.
CHC confirmed that no data was deleted or locked during the attack, and daily operations were not disrupted.
The information compromised in the breach varied depending on the individual’s relationship with CHC. For regular patients, sensitive data such as names, addresses, phone numbers, Social Security Numbers (SSNs), health insurance details, and health conditions may have been exposed. Individuals who received COVID-19 tests or vaccines may have had personal details like names, birth dates, contact information, and in some cases, SSNs and vaccination data compromised. CHC has stated that the breach was limited to data access and that no ongoing threats are believed to exist.
CHC has worked swiftly to enhance its cybersecurity by implementing new monitoring software and bolstering its system protections. In response to the breach, the organization issued notifications to those affected and set up a dedicated website to provide assistance. To further support the impacted individuals, CHC is offering free identity theft protection services for those whose SSNs were compromised, which includes credit monitoring, identity recovery assistance, and insurance coverage.
The health center’s president, Mark Masselli, expressed regret over the incident, acknowledging the inconvenience caused by the criminal activity. CHC is advising individuals whose SSNs were impacted to enroll in the free identity protection services offered by IDX and has set up a hotline to guide affected individuals. The organization reassures the public that there is currently no evidence of the compromised data being misused, and steps have been taken to secure its systems.
Reference: