Officials in Albemarle County, Virginia, reported the compromise of sensitive data, including protected health information (PHI), during a ransomware attack in June 2025. The cyberattack started on June 10, 2025, and was discovered the next day when staff could not access some files in the system. State and national government law enforcement were advised, and third-party cybersecurity specialists investigated the incident to find out the extent of the data breach. According to the investigation, which ended on July 15, 2025, the attack resulted in the compromise of the PHI of its self-insured health plan members.
The breached PHI differed from one person to another, which might have included names, phone numbers, home addresses, email addresses, birth dates, employee/user ID numbers, Social Security numbers, healthcare ID numbers, health data, account/patient ID numbers, dates of services, payment and claims data, healthcare provider names, invoice numbers for the medical care gotten, and medical insurance data.
The attack also resulted in the compromise of the information of present and past government and public school staff, along with data associated with their dependents. The breached employee data included names, addresses, passport numbers, driver’s license numbers, Social Security numbers, state ID card numbers, and military ID numbers. The attack also affected the people who conducted business with the county or who received or submitted an application for services from the county.
The investigation and file evaluation recently ended, and notification letters had been issued to the affected individuals. As a precautionary measure, the impacted people were offered free credit monitoring and identity theft protection services for one year. Besides engaging cybersecurity specialists to look into the data breach, third-party HIPAA compliance experts evaluated the county’s system to make sure that it is in compliance with HIPAA Rules. HIPAA training is given to all persons who manage information, and policies associated with the management and storage of PHI are under review. The county is presently considering more actions for strengthening system security. The data breach report has not appeared yet on the HHS’ Office for Civil Rights breach website, thus, the number of individuals affected by the PHI breach is presently uncertain.
The attack seems to have been carried out by the INC Ransom ransomware group, which listed Albemarle County Public Schools on its dark web data leak website. INC Ransom says it had extracted 229 GB of data during the attack. INC Ransom has exposed the stolen information; hence, the affected individuals are instructed to register for the free credit monitoring and identity theft protection services immediately and must also examine their accounts, credit reports, and explanation of benefits statements for indications of personal data misuse.