Unauthorized disclosure of behavioral health PHI
Organisation: Shasta County Health and Human Services Agency
Incident date: September 30, 2025
Nature of incident: Unauthorized access and data leak (insider incident)
Status: Confirmed
Reported by: Shasta County (official notice)
Shasta County Health and Human Services Agency has disclosed a data breach involving the unauthorized disclosure of protected health information (PHI) for approximately 164 clients of its Behavioral Health and Social Services branch, after a former employee sent emails and documents containing PHI to a personal email account.
According to the county, the incident is believed to have occurred over roughly six months, from March 2025 to September 2025, and was discovered on September 30, 2025, when officials became aware of the former employee’s actions and began an internal investigation.
The information involved includes client identifiers and clinical details: first and last names, initials, dates of birth, chart numbers, health plan names, diagnoses or conditions, medications, and treatment authorization details related to mental and behavioral health services.
For affected individuals, the exposure of behavioral health PHI could increase the risk of privacy harms such as unwanted disclosure of sensitive health conditions and potential misuse of personal details in phishing or social engineering attempts, even though the county has stated it is not currently aware of any misuse of the data.
Shasta County has indicated it will notify approximately 164 affected clients by mail. She is advising them to monitor credit reports and account statements, to consider placing fraud alerts with the major credit bureaus, and to contact law enforcement if suspicious activity is detected.
In its public notice, the agency states that it has launched an internal investigation, will report the incident to the U.S. Department of Health and Human Services Office for Civil Rights, and is reviewing privacy and security policies and procedures to reduce the likelihood of similar insider incidents in the future.
This breach highlights ongoing insider risk in healthcare environments where employees handle sensitive behavioral health records and underscores the ongoing regulatory and compliance pressure on public agencies to detect, contain, and report unauthorized disclosures of PHI in a timely and transparent manner.
Worried about your online data? Run a leak check now at Am I Hacked and protect your online security today.