Cyberattack on ARC Community Services by INC Ransom Ransomware Group

ARC Community Services based in Madison, WI offers to women and children substance use disorder treatment, behavioral health, and support services. It encountered a ransomware attack that resulted in the theft of sensitive information from its system.

On November 4, 2024, ARC Community Services discovered unauthorized system activity and quickly shutdown its systems. It started an investigation to find out the nature and extent of the unauthorized activity. With the help of third-party digital forensics specialists, ARC Community Services affirmed the unauthorized network access, which included data theft. The provider updated its substitute breach notice on November 12, 2025, which stated it conducted a comprehensive analysis of the breached and stolen data. The following types of data were affected by the data breach: names, contact details, birth dates, driver’s license numbers, medical record numbers, health data, and financial account data. There is no proof found that suggest the misuse of stolen information. Nevertheless, as a preventative measure, the impacted persons were provided free identity theft protection, fraud assistance, and credit monitoring services.

Although the substitute breach notice did not identify the incident as a ransomware attack, the notification sent to the New Hampshire Attorney General stated it was a ransomware attack conducted by the INC Ransom ransomware group. ARC Community Services is still listed on the INC Ransom data leak site, which means the company did not pay the ransom. On August 28, 2025, ARC Community Services sent notification to the Attorney General about the results of the conducted file review, which was completed on November 6, 2025. The breached information included patients’ protected health information (PHI), hence ARC mailed notification letters to the impacted individuals at the begining of December 2025 in compliance with HIPAA laws.

The delay in sending notification letters was because of the time it took to properly identify the impacted individuals, validate the actual data breached, and get updated contact details needed to send the notification letters. ARC Community Services mentioned it has evaluated its data security guidelines and procedures and is adding more safeguards to avoid the same incidents later on. On February 2, 2025, the data breach report is submitted to the HHS’ Office for Civil Rights with a placeholder of at least 501 affected persons. The final breach count will be updated when the information is available.

Image credit: Andrey Popov, Adobestock

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism and many years experience.
Twitter
LinkedIn