Ransomware Healthcare / Mental Health · United States · January 2026

Jefferson-Blount-St. Clair Mental Health Authority

Analysis of the Jefferson-Blount Mental Health Authority ransomware attack by Medusa group affecting 30,434 individuals.

Records Affected

30,434 individuals

Attack Type

Ransomware

Location

United States

Data types exposed

Mental health services data (specific fields not publicly detailed)

What Happened

In January 2026, Jefferson-Blount-St. Clair Mental Health Authority disclosed a ransomware attack affecting 30,434 individuals. The Medusa ransomware group has been linked to the incident.
The compromised data includes mental health services data, which is among the most sensitive categories of health information. HIPAA breach notification requirements apply.

Timeline

  • January 2026 — Jefferson-Blount-St. Clair Mental Health Authority discloses ransomware attack by Medusa affecting 30,434 individuals

Threat Actor Profile

Medusa is a ransomware group that has been active since 2021, operating a ransomware-as-a-service model with a public leak site for publishing victim data.
The group has increasingly targeted healthcare and mental health providers, recognising the heightened sensitivity and leverage that mental health data provides in extortion scenarios.

Impact and Risk Assessment

For Individuals

30,434 individuals had their mental health services data exposed. Mental health data carries additional stigma and sensitivity beyond typical health information.
Exposure of mental health records can have severe personal and professional consequences, including discrimination and social stigma.
Individuals receiving substance abuse treatment may face particularly acute privacy concerns.

For Organisations

The Mental Health Authority faces HIPAA enforcement risk and potential 42 CFR Part 2 implications if substance abuse treatment records were included.
Mental health providers nationally should assess their ransomware preparedness in light of this incident.

Regulatory Context

HIPAA breach notification requirements apply. Additional protections under 42 CFR Part 2 may apply if substance abuse treatment records were compromised.
Mental health data receives heightened protection under many state laws beyond standard health information.

What Should You Do?

For Individuals

  • If you receive services from this Mental Health Authority, be alert to any unusual communications and monitor your credit reports.
  • Mental health records are subject to enhanced legal protections. If you believe your records have been misused, consult with a privacy attorney.

For Security Professionals

  • Mental health providers should apply the highest levels of data protection given the enhanced sensitivity of their data. This includes encryption at rest, network segmentation, and robust backup procedures.
  • Consider the specific regulatory requirements for mental health and substance abuse data when designing security controls.

Learnings and Recommendations

Mental health data carries additional stigma and sensitivity beyond typical health information. Its exposure can have severe personal and professional consequences for affected individuals.
Ransomware groups continue to target mental health providers, which often have limited security investment relative to the sensitivity of the data they hold.
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories