Attorney
Woods Lonergan PLLC is a nationally recognized litigation firm that represents patients and consumers in select data breach class actions nationwide. Our attorneys have a proven record of handling complex data privacy and cybersecurity matters and evaluating potential claims when public reports allege that sensitive personal information has been exposed in a cyber incident.
If you have received behavioral health services from Wyandot Center (Kansas City Behavioral Health Center), Call Our Data Breach Lawyers 24/7 at (332) 378-0376 or email loganlowe@woodslaw.com for a free and confidential consultation.
Woods Lonergan takes no fees unless we win.
Who did the Wyandot Center Data Breach impact?
In November 2025, Wyandot Center, a nonprofit community behavioral health center in Kansas City, Kansas, announced that it had experienced a cybersecurity incident that exposed protected health information (PHI) and other sensitive data stored on its network. Public reports sometimes refer to this event as the “Kansas City Behavioral Health Center” data breach because Wyandot Center is the designated community mental health center for Wyandotte County.
Wyandot Center’s adult behavioral health services are anchored at its clinic and crisis location, where adults can walk in on weekdays for same-day mental health assessments and access outpatient therapy, psychiatric medication management, case management, and other recovery-focused services. Additional Wyandot Behavioral Health Network locations in Kansas City, Kansas—including PACES and the RSI Crisis Center —support youth and adults through crisis stabilization, substance-use crisis care, and family-based services.
That means the individuals potentially affected include:
- Adults in Wyandotte County who receive outpatient counseling, psychiatric care, case management, or recovery services through Wyandot Center’s main clinic.\
- Children, teens, and families who receive youth mental health services through PACES, including therapy, case management, crisis and outreach support, psychosocial groups, and caregiver support.
- Adults from Wyandotte and Johnson counties who have used the RSI Crisis Center for 24/7 crisis stabilization, sobering support, short-term crisis observation, or detox and mental health crisis services.
- Individuals in crisis or justice-involved programs whose case records are maintained on Wyandot systems and who may have engaged with Wyandot’s justice-involved support, housing, or employment programs connected to these Kansas City, Kansas locations.
- Other patients or customers whose information was stored in the portions of the network may have been accessed during the incident.
If you live in Kansas City, Kansas—especially in ZIP codes 66101, 66102, 66106, or 66112—and have gone to Wyandot Center for adult mental health services, to PACES for your child’s therapy or crisis care, or to RSI for a mental health or substance-use crisis, public reports indicate you may be within the group of people whose information was reviewed as part of Wyandot’s post-incident investigation, depending on what the ongoing investigation ultimately confirms.
As of early December 2025, Wyandot and public reports have not disclosed the total number of individuals impacted. The incident is not yet clearly listed with a public record of affected individuals on the HHS Office for Civil Rights’ breach portal. Accordingly, the full scope of the breach remains unknown.
If you have received behavioral health services from Wyandot Center (Kansas City Behavioral Health Center), Call Our Data Breach Lawyers 24/7 at (332) 378-0376 or email loganlowe@woodslaw.com for a free and confidential consultation.
Woods Lonergan takes no fees unless we win.
What Information Was Exposed in the Wyandot Center Data Breach?
According to Wyandot’s own “Notice of Data Incident,” the files accessed during the attack contained highly sensitive personal and medical information. For many patients, the exposed data could include a combination of:
- First and last name
- Home address
- Date of birth
- Social Security number
- Patient ID and/or medical record number
- Health insurance information
- Service dates
- Diagnosis or condition information
- Provider name
- Prescription information
- Broader medical history information
This is not just contact information. The combination of identifiers (Social Security numbers, dates of birth, addresses) with detailed behavioral health and medical records creates a powerful “identity and health profile” that can be misused for:
- Long-term identity theft and financial fraud
- Fraudulent insurance claims or medical billing
- Extortion or harassment based on sensitive mental health diagnoses
- Permanent loss of medical privacy
For individuals receiving mental health or substance-use treatment, the risk is not only financial—there is also a serious risk of stigma, discrimination, and emotional harm if this information is circulated or misused.
Wyandot Center Data Breach Investigation: What Happened?
Public disclosures and Wyandot’s own notice set out the following general timeline:
- September 21–22, 2025 – Unauthorized access to Wyandot’s network.
Wyandot’s investigation concluded that an unauthorized third party accessed certain parts of its network over a roughly 24-hour period between September 21 and September 22, 2025. - On or around September 22, 2025 – Suspicious activity detected.
Wyandot reports that it “recently discovered unusual activity” on its systems and engaged third-party cybersecurity specialists to investigate and secure its environment. - By November 5, 2025 – Data review completed.
After confirming that unauthorized access occurred, Wyandot conducted a file-by-file review to determine what information was impacted and which individuals were affected, completing this review on November 5, 2025. - November 19, 2025 – Public notice posted.
Wyandot posted its Notice of Data Incident on its website and began notifying impacted individuals and offering credit monitoring and identity protection services.
Woods Lonergan is carefully reviewing publicly available information and reports, which allege that patient data was accessed during this incident, and is investigating whether Wyandot:
- Implemented reasonable cybersecurity safeguards in light of the known threat environment targeting healthcare and behavioral health providers; and
- Complied with its federal and state data breach notification obligations, including HIPAA’s requirement to notify affected individuals and HHS without unreasonable delay.
Statement from counsel (for context only):
“When a behavioral health provider is entrusted with details about a person’s trauma, diagnoses, and treatment, that trust extends to how their data is protected. A cyberattack may start with a hacker, but providers still have a duty to build strong defenses and be transparent when something goes wrong. Our investigation is focused on whether Wyandot took appropriate steps before, during, and after the incident, as some reports allege that sensitive information was accessed, and we will carefully evaluate all of the facts as they become available.”
Why Behavioral Health Data Breaches Are Especially Harmful
Data breaches at behavioral health centers carry unique, potential risks beyond standard financial fraud concerns:
- Stigma and discrimination. Exposure of diagnoses such as depression, PTSD, bipolar disorder, substance-use disorder, or trauma-related conditions can affect employment, housing, and personal relationships if misused.
- Safety and coercion risks. Sensitive case information—especially for survivors of abuse, justice-involved clients, or individuals in crisis—could be exploited by bad actors for extortion or harassment.
- Lifetime identity theft risk. The exposure of Social Security numbers, dates of birth, and medical record identifiers creates permanent identity theft risk that cannot be fully “undone.”
- Loss of trust in mental healthcare. Patients may hesitate to seek future treatment or disclose critical information to providers if they do not trust that their data will be kept secure.
Our Data Breach Lawyers treat behavioral health data incidents with the seriousness they deserve and seek remedies that reflect both the financial and non-financial harms victims face.
What Should You Do If You Received a Wyandot Center Data Breach Letter?
If you received a data breach notification letter from Wyandot Center—or believe your data may have been stored in Wyandot’s systems—you should assume your personal and medical information is at risk and take the following steps immediately:
- Carefully review and save the breach notice.
Keep a copy of all letters or emails you receive. They may be important if you later pursue legal claims or need to prove what you were told and when. - Enroll in the free credit monitoring and identity protection services offered.
Wyandot has stated that it is providing impacted individuals with complimentary credit monitoring and identity theft protection. Enroll promptly, but understand that these services are a minimum response—not full compensation for the risk you now face. - Place fraud alerts and consider a credit freeze.
Contact the major credit bureaus (Equifax, Experian, and TransUnion) to place a fraud alert or freeze on your credit to help block new accounts opened in your name. - Monitor your financial and medical accounts.
- Regularly review bank and credit card statements for unauthorized charges.
- Watch health insurance Explanation of Benefits (EOBs) for services you did not receive.
- Request and review your free annual credit reports.
You are entitled to free credit reports from each major bureau via AnnualCreditReport.com. Review them for new accounts, inquiries, or address changes you do not recognize. - Document any time and expenses you spend addressing the breach.
Keep records of phone calls, credit monitoring costs (beyond what is provided), and any fraud or identity theft incidents. This documentation may be important in a future claim for compensation.
If you live in Wyandotte County or the Kansas City, Kansas metro area and have received services at Wyandot Center, PACES, or the RSI Crisis Center, you may want to take these steps even if you are not yet sure whether your specific record was involved, as public sources indicate the review covered data stored across Wyandot’s network of local behavioral health programs.
What Legal Rights Do Victims of the Wyandot Center Data Breach Have?
Woods Lonergan PLLC is actively investigating the Wyandot Center data breach and evaluating potential claims on behalf of impacted patients and other individuals whose data was exposed. Based on what public reports allege and what further investigation may confirm, potential legal theories could include:
- Negligence / Gross Negligence – Based on allegations that Wyandot may have failed to implement reasonable and appropriate cybersecurity measures to protect highly sensitive behavioral health and medical information, subject to what the evidence ultimately shows.
- Negligence Per Se – If, as some reports suggest, Wyandot is found not to have complied with HIPAA or state data breach notification statutes requiring timely and adequate notice to affected individuals and regulators.
- Breach of Implied Contract – Patients were required to provide their Social Security numbers, health insurance information, and detailed medical histories as a condition of receiving care, which may be interpreted as creating an implied promise that Wyandot would use reasonable safeguards to protect that information.
- Unjust Enrichment – If a court were to determine that Wyandot did not invest adequately in cybersecurity and privacy safeguards while collecting and storing sensitive PHI, and thereby retained benefits while patients bore the risk and costs associated with the incident.
Our goal in any potential litigation would be to seek compensation for:
- The permanent risk of identity theft and loss of privacy
- Time and out-of-pocket costs spent responding to the breach
- Emotional distress and anxiety caused by the exposure of deeply personal behavioral health information
- Any proven fraudulent charges, medical identity theft, or other concrete harms
All of these legal theories are contingent on the facts developed through investigation and court proceedings, and no conclusions have been reached at this time regarding Wyandot’s ultimate legal responsibility.
For examples of other matters we have investigated, you can review our recent Data Breach Investigations, including transportation, healthcare, and critical-infrastructure incidents.
About Woods Lonergan PLLC
Woods Lonergan PLLC is a nationally recognized litigation firm with over 30 years of experience representing clients in complex commercial and civil litigation, as well as class actions and data privacy matters, in courts nationwide. Our business dispute and data breach attorneys have a long-standing track record of success in New York’s state and federal courts, including the Commercial Division of the New York Supreme Court and the Appellate Division, and are regularly retained to litigate high-stakes matters involving multi-million dollar claims across a wide range of industries and sectors with significant business impact.
Unlike much larger law firms, Woods Lonergan ensures that every case is directly handled by seasoned trial attorneys with decades of courtroom experience. From strategy to courtroom, your matter is led by experienced litigation counsel—not by a rotating team of junior lawyers—so you receive focused, senior-level representation from start to finish.
Contact Our Data Breach Litigation Team
If you have been affected by the Wyandot Center data breach, you may be entitled to compensation. Contact us for a free and confidential consultation. Woods Lonergan’s Data Breach Lawyers are skilled at helping affected patients and consumers understand their rights and options.
Call our Data Breach Litigation Team 24/7 at (332) 378-0376 or email loganlowe@woodslaw.com. We take no fees unless we win.
Learn more about our Data Breach Investigations or contact us today to discuss your potential claim.