Circle Park Behavioral Health Data Breach Exposes 7,020 Patients

On January 14, 2026, Florence County Commission on Alcohol & Drug Abuse, operating as Circle Park Behavioral Health Services, reported a significant data breach to the Department of Health and Human Services. The hacking incident compromised the personal and health information of 7,020 individuals across the United States, marking another concerning cybersecurity event in the behavioral health sector.

What Happened

Circle Park Behavioral Health Services experienced a hacking/IT incident that specifically targeted their email systems. The breach was classified as an email-based cyberattack, though the organization has not disclosed additional technical details about the nature of the intrusion or the specific methods used by the attackers.

The South Carolina-based behavioral health provider discovered the incident and subsequently reported it to federal authorities on January 14, 2026. Florence County Commission on Alcohol & Drug Abuse has retained Constangy, Brooks, Smith & Prophete, LLP to represent them in connection with this data security incident, indicating the serious nature of the breach and potential legal implications.

Who Is Affected

The breach impacted 7,020 individuals nationwide, with the majority of affected patients distributed across multiple states. According to the breach notification, South Carolina bore the heaviest impact with 1,157 affected individuals, while at least one person in New Hampshire was also compromised. The remaining affected individuals are scattered across other states throughout the United States.

Circle Park Behavioral Health Services provides a broad range of behavioral health services to residents of Florence County, South Carolina, and surrounding areas. The affected individuals likely include current and former patients who received mental health, substance abuse treatment, or other behavioral health services from the organization.

Breach Details

The incident has been classified as a hacking/IT incident specifically targeting the organization's email infrastructure. Email-based breaches often involve several common attack vectors:

• Phishing attacks that compromise email credentials
• Business email compromise (BEC) schemes
• Malware infections that spread through email systems
• Unauthorized access to email accounts containing patient information

While Circle Park has not disclosed the specific type of information compromised, behavioral health providers typically maintain sensitive records including:

• Patient names and contact information
• Social Security numbers
• Insurance information
• Treatment records and diagnoses
• Medication histories
• Therapy session notes
• Billing and payment information

The breach notice indicates that both personal and health information was involved, suggesting that protected health information (PHI) under HIPAA was compromised during this incident.

What This Means for Patients

For the 7,020 affected individuals, this breach represents a serious privacy violation with potential long-term consequences. Behavioral health records are particularly sensitive, as they often contain information about mental health conditions, substance abuse treatment, and other deeply personal medical details.

Patients affected by this breach may face several risks:

Identity Theft: If Social Security numbers and other identifying information were accessed, patients could become victims of identity theft or financial fraud.

Medical Identity Theft: Criminals may use stolen health information to obtain medical services, prescription drugs, or file fraudulent insurance claims.

Discrimination Concerns: Mental health and substance abuse records could potentially be used to discriminate against individuals in employment, insurance, or other contexts.

Privacy Violations: The unauthorized disclosure of sensitive behavioral health information represents a significant breach of patient privacy and trust.

How to Protect Yourself

If you are a current or former patient of Circle Park Behavioral Health Services, consider taking these protective steps:

Monitor Your Accounts: Regularly review bank statements, credit card bills, and explanation of benefits (EOB) statements for unauthorized activity.

Check Your Credit Reports: Obtain free credit reports from all three major credit bureaus and look for suspicious accounts or inquiries.

Consider Credit Monitoring: While Circle Park has not announced whether they will provide credit monitoring services, affected individuals should consider enrolling in credit monitoring services independently.

Watch for Suspicious Communications: Be alert for phishing emails, suspicious phone calls, or mailings that may be attempts to gather additional personal information.

Report Suspicious Activity: If you notice any unauthorized use of your personal or health information, report it immediately to the appropriate authorities and your healthcare providers.

Review Medical Records: Check with your insurance company and healthcare providers to ensure no unauthorized services have been billed in your name.

Prevention Lessons for Healthcare Providers

This incident highlights critical cybersecurity challenges facing behavioral health providers and offers important lessons for the healthcare industry:

Email Security: Healthcare organizations must implement robust email security measures, including advanced threat protection, encryption, and employee training on phishing recognition.

Access Controls: Limiting access to PHI through email systems and implementing multi-factor authentication can help prevent unauthorized access.

Regular Security Assessments: Conducting regular cybersecurity risk assessments and penetration testing can help identify vulnerabilities before they are exploited.

Incident Response Planning: Having a comprehensive incident response plan enables organizations to quickly detect, contain, and respond to data breaches.

Employee Training: Regular cybersecurity awareness training helps staff recognize and respond appropriately to potential threats.

Data Minimization: Limiting the amount of PHI stored in email systems and implementing secure communication alternatives can reduce breach impact.

The behavioral health sector faces unique cybersecurity challenges, as these organizations often operate with limited IT resources while handling highly sensitive patient information. This breach serves as a reminder that all healthcare providers, regardless of size or specialty, must prioritize cybersecurity investments and HIPAA compliance.

As the investigation continues and more details emerge, affected patients should stay informed about developments and take appropriate steps to protect themselves. Healthcare providers should use this incident as a learning opportunity to strengthen their own cybersecurity posture and prevent similar breaches.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.