ARC Community Services Announces November 2024 Ransomware Attack
Madison, WI-based ARC Community Services, a provider of behavioral health, substance use disorder treatment, and support services to women and children, has experienced a ransomware attack involving the theft of sensitive data from its network.
ARC Community Services identified unauthorized network activity on November 4, 2024, immediately took its systems offline, and launched an investigation to determine the nature and scope of the unauthorized activity. Assisted by third-party digital forensics experts, ARC Community Services confirmed unauthorized network access, including data exfiltration. In a November 12, 2025, updated substitute breach notice, ARC Community Services said it performed a detailed review of the exposed and exfiltrated data and confirmed that the following types of information were involved: names, contact information, dates of birth, medical record numbers, health information, driver’s license numbers, and financial account information. No evidence has been found to indicate any misuse of the stolen data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring, identity theft protection, and fraud assistance services.
While not described as a ransomware attack in the substitute breach notice, the notification provided to the New Hampshire Attorney General confirmed that this was a ransomware event by the INC Ransom ransomware group. The INC Ransom data leak site still lists ARC Community Services, indicating the ransom was not paid. ARC Community Services informed the Attorney General that file review confirmed on August 28, 2025, that the exfiltrated data included patients’ protected health information, and the file review was completed on November 6, 2025. Notification letters were mailed to the affected individuals in early December 2025.
The delay in issuing notification letters was due to the time taken to accurately identify the affected individuals, confirm the exact data elements involved, and obtain up-to-date contact information to allow notification letters to be sent. ARC Community Services said it has reviewed its data security policies and procedures and is implementing additional safeguards to prevent similar incidents in the future. The data breach was reported to the HHS’ Office for Civil Rights on February 2, 2025, using a placeholder figure of at least 501 affected individuals. The total has yet to be updated with the final breach count.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
