The Devereux Foundation Data Breach Exposes Clinical and Financial Information

Healthcare data breach illustration
Breach Discovery: 9th November 2025Breach Notification: Not Publicly Disclosed

What Happened in the The Devereux Foundation Data Breach?

The Devereux Foundation, a national behavioral healthcare nonprofit, discovered suspicious activity within its electronic systems on Nov. 9, 2025. As a result, the organization moved quickly to isolate the affected systems. This step aimed to limit further unauthorized access while the situation was assessed.

Devereux then launched an investigation with help from third-party cybersecurity specialists. Shortly after, a ransomware group known as The Gentlemen claimed responsibility for the attack. On Nov. 28, 2025, the group announced on a dark web forum that it had obtained sensitive organizational data. The group also threatened to publish the stolen information within nine to 10 days unless its demands were met.

Because the investigation is still underway, many specific details remain unconfirmed. However, the involvement of a known ransomware group, combined with its public claims of stolen data, indicates this was not a simple system disruption. Instead, it appears attackers actually accessed and removed sensitive files from Devereux’s network. The breach was also disclosed to the U.S. Department of Health and Human Services, a step required when protected health information may be involved.

Who was affected?

Devereux has acknowledged that several groups may be affected by this breach. These include current and former employees, clients, donors, payors and business partners. Given the breadth of these categories, the breach could touch a wide cross-section of people connected to the organization.

The exact number of affected individuals has not yet been disclosed. This is because the investigation into the scope of the incident is ongoing. Since Devereux provides behavioral healthcare services nationally, the geographic reach of this breach could be significant. In addition, because Devereux serves clients receiving behavioral health treatment, some affected individuals may include minors or other vulnerable populations.

What Information Was Potentially Exposed?

According to the data breach notice published on Devereux’s website, several categories of sensitive information may have been exposed. This information spans personal, clinical and financial details, which increases the potential severity of harm for those affected.

  • Names
  • Demographic details
  • Clinical information
  • Financial information

The exposure of clinical information is particularly concerning because it may reveal details about a person’s mental health treatment or diagnosis. As a result, affected individuals could face stigma, discrimination or other personal harm if this information becomes public. This type of exposure also makes individuals vulnerable to medical identity theft, where someone else uses stolen health data to obtain treatment or file fraudulent insurance claims.

Meanwhile, the exposure of financial information raises the risk of direct monetary fraud. For example, attackers could use financial details to open new credit accounts or make unauthorized charges. Because names and demographic details were also involved, criminals could combine this data with other information to craft convincing phishing scams or attempt identity theft.

What is the company doing?

Devereux is notifying individuals whose information may have been involved in the breach. In addition, the organization is providing complimentary credit monitoring services to those affected. This offer gives potentially impacted individuals a tool to detect suspicious financial activity early.

Beyond notification, Devereux has set up a dedicated call center to answer questions and provide assistance. The call center operates Monday through Friday, from 9 a.m. to 9 p.m. ET, excluding U.S. holidays. The organization has also outlined steps for protecting personal information, including placing fraud alerts or credit freezes with major credit bureaus, in its official notice. Devereux continues working with cybersecurity specialists as the investigation progresses.

What Should Affected Individuals Do?

Monitor Your Credit Reports Closely

Anyone potentially affected by this breach should regularly check their credit reports for unfamiliar accounts or inquiries. Devereux has encouraged individuals to remain vigilant over the next 12 to 24 months. This extended monitoring period reflects how long stolen data can remain useful to criminals.

You can request free credit reports from each of the three major credit bureaus. Reviewing these reports regularly helps you catch fraudulent activity before it causes lasting financial damage. If you notice anything suspicious, report it immediately to the bureau and to Devereux’s call center.

Consider a Fraud Alert or Credit Freeze

Because financial information may have been exposed, placing a fraud alert or credit freeze is a smart precaution. A fraud alert warns lenders to verify your identity before opening new credit in your name. A credit freeze goes further by blocking access to your credit file entirely.

To set up either protection, contact Equifax, Experian or TransUnion directly. These services are typically free and can be lifted temporarily whenever you need to apply for credit. Given the sensitivity of the data involved here, this extra layer of security is worth the small inconvenience.

Protect Yourself Against Medical Identity Theft

Since clinical information was potentially exposed, affected individuals should also watch for signs of medical identity theft. This can include unfamiliar medical bills, insurance claims you don’t recognize, or notices about treatment you never received. Because this type of fraud can affect your medical records, it’s important to catch it early.

If you spot anything unusual, contact your health insurance provider right away. In addition, request a copy of your medical records to verify their accuracy. Correcting errors quickly can prevent long-term confusion in your healthcare history.

Stay Alert for Phishing Attempts

Following a breach like this, scammers often use stolen names and details to craft convincing phishing emails or phone calls. These messages may pretend to be from Devereux, a credit bureau or even a government agency. Therefore, treat unexpected requests for personal information with caution.

Never click on links or provide sensitive details unless you can verify the sender’s identity. Instead, contact organizations directly using official phone numbers or websites. If you’re ever unsure, it’s safer to hang up and call back using a verified number.

Know Your Legal Options

If your personal or clinical information was compromised in this breach, you may have legal options worth exploring. Many affected individuals in similar breaches have pursued claims for damages related to exposed sensitive data. Consulting a data breach attorney can help clarify whether you qualify for compensation.

A free case evaluation can help you understand your rights without any upfront cost. Because deadlines for filing claims can vary, it’s wise to act sooner rather than later. This ensures you don’t miss any opportunity for potential compensation.



More Information

Official Notice from Devereux

Official Notice from Devereux

HHS Office for Civil Rights Breach Notification Portal

Related Data Breaches