TL;DR: Community Health Center, Inc. (CHC), a Connecticut-based nonprofit, suffered a data breach affecting 1,060,936 patients. A "skilled criminal hacker" accessed systems starting in mid-October 2024, but CHC didn't notice until January 2, 2025. Stolen data includes Social Security numbers, diagnoses, test results, treatment information, and health insurance details. If you got a COVID test or vaccine at a CHC clinic, you're likely affected. They're offering two years of identity monitoring. Given they missed an intruder for nearly three months, that feels inadequate.

What Happened

On January 2, 2025, Community Health Center, Inc. detected what they euphemistically call "unauthorized activity" in their computer systems. Investigation revealed the breach actually started in mid-October 2024.[1]

Translation: A hacker had free rein in their systems for roughly 10 weeks before anyone noticed.

The attack impacted 1,060,936 individuals nationwide, with 1,008,519 of those in Connecticut alone.[2] That's nearly one in three Connecticut residents.

CHC operates clinics throughout Connecticut providing primary care, dental services, and specialty care. They also ran COVID testing and vaccination sites. If you walked into one of their facilities at any point, your data is probably on a criminal's hard drive right now.

What They Took

According to CHC's official disclosures, the compromised data varies by individual but may include:[1][2][3]

  • Social Security numbers (the golden ticket for identity theft)
  • Names and addresses (where to find you)
  • Dates of birth (more identity theft fuel)
  • Phone numbers and email addresses (for targeted phishing)
  • Diagnoses and test results (your private medical history)
  • Treatment information (what medications you take, procedures you've had)
  • Health insurance details (member IDs, policy information)

This isn't just identity theft risk. Medical data is uniquely sensitive. Your diagnoses, mental health history, STI test results: a criminal now has access to your private health decisions.

CHC emphasizes that "data was exfiltrated, not deleted." Great. So their systems kept running while your life got copied to a criminal server.

Ten Weeks of Access. Ten. Weeks.

The breach started in mid-October 2024. CHC discovered it January 2, 2025. That's approximately 10 weeks of undetected access.[1]

What was happening during those ten weeks?

  • Patients kept providing personal information to CHC clinics
  • Staff kept accessing systems that were compromised
  • No one noticed the hacker copying files
  • No security alert triggered until January

CHC claims they "stopped the hacker within hours" of detection and that "daily operations were not interrupted."[3] Cool. But the hacker had three months. How much data can you exfiltrate in three months? All of it.

Notification letters to affected individuals went out January 30, 2025. A full month after discovery. Another month your stolen data circulated without you knowing.

Who's Affected

The breach impacts three groups:[1][2]

Current CHC Patients

Anyone receiving primary care, dental, or specialty services at Community Health Center facilities.

Former Patients

Historical patient records were accessible. If you ever visited a CHC clinic, assume you're compromised.

COVID Test/Vaccine Recipients

Anyone who received COVID-19 tests or vaccinations at CHC clinics during the pandemic.

Over one million people trusted their most sensitive information to CHC. That trust was misplaced.

Healthcare's Breach Epidemic

CHC isn't an outlier. Healthcare is the most-breached industry in America. Why? Because medical data is worth 10-40 times more than credit card numbers on the dark web.[4]

Healthcare organizations often run on tight budgets. Security gets deprioritized. IT systems are outdated. Staff training is inadequate. And the data they collect (your entire medical history) is incredibly valuable.

The 2025 "Breachies" already highlight healthcare's failures: Blue Shield sharing 4.7 million patients' data with Google for three years. Hospital chains hit by ransomware. Community health centers compromised.[5]

CHC is a nonprofit serving underserved communities. That's admirable. But it doesn't excuse ten weeks of undetected intrusion. Or losing over a million patients' SSNs.

What You Can Do

Freeze Your Credit Immediately

Your Social Security number is stolen. Freeze all three bureaus: Equifax, Experian, TransUnion. This stops new accounts from being opened. Free and reversible.

Accept the Identity Monitoring (But Don't Rely On It)

CHC offers 24 months of identity theft protection through IDX. Enroll, but understand monitoring only alerts you AFTER theft occurs. It doesn't prevent it.

Watch for Medical Identity Theft

Request your medical records. Check for unknown treatments or prescriptions. Someone could be using your insurance for their care, or running prescription fraud in your name.

Monitor Your Insurance Statements

Review every Explanation of Benefits (EOB). Look for services you didn't receive. Report discrepancies to your insurance immediately.

Be Suspicious of Health-Related Contact

Criminals now have your medical details. Expect targeted phishing: "Your recent test results require action" or "Your prescription needs verification." Don't click links.

Request Your CHC Records

Under HIPAA, you can request your records and an accounting of disclosures. Find out exactly what data they held on you.

The Bigger Picture

Community Health Center serves vulnerable populations. Low-income patients. The uninsured. People who have nowhere else to go for healthcare. These are exactly the people least equipped to handle identity theft.

And now over a million of them have their SSNs, medical histories, and personal details in criminal hands. Because a health center didn't detect an intruder for ten weeks.

Two years of identity monitoring doesn't fix a stolen Social Security number. That number follows you for life. Every loan application. Every background check. Every tax filing. Forever tainted.

CHC says they've "enhanced security measures" and "implemented new monitoring software."[3] Should've done that before the breach. Now it's just a press release talking point.

References

  1. SecurityWeek - 1 Million Impacted by Data Breach at Connecticut Healthcare Provider (January 2025)
  2. CT Insider - Community Health Center data breach impacts over 1 million (January 2025)
  3. Becker's Hospital Review - Community Health Center breach hits 1M individuals (January 2025)
  4. Ponemon Institute - Cost of a Data Breach Report 2024
  5. EFF - The Breachies 2025: Worst Data Breaches of the Year