On December 2, 2024, Mental Health Association Inc. ("MHA") discovered that its systems had potentially been compromised by an unauthorized actor. Upon discovering this incident, MHA immediately collaborated with their Managed Service Provider (MSP) to secure their systems. Additionally, MHA engaged a specialized third-party cybersecurity firm to conduct a forensic investigation into their network environment to determine the exact nature and scope of the breach.
Currently, the forensic investigation is still ongoing, and MHA is in the process of analyzing the results. At this point, it is unclear exactly how many individuals were affected and precisely what types of information were exposed. However, MHA has confirmed that the breach may have resulted in unauthorized access to sensitive consumer data.
Once the forensic investigation is complete, MHA will identify all affected individuals and the specific types of personal information involved. Formal notification letters will then be mailed directly to those impacted.
As of April 1, 2025, MHA has not received any reports of identity theft or fraudulent misuse of personal information linked to this incident. However, given the nature of MHA's services, it is possible that both personally identifiable information (PII) and protected health information (PHI) could have been exposed.
PII typically includes names, addresses, Social Security numbers, dates of birth, and other identifying details. PHI may involve medical history, treatment information, insurance details, and other sensitive health-related data.
Since discovering the breach, MHA has taken several actions to mitigate further risk and protect consumer information. First, MHA disconnected all access to their network and worked diligently to restore operations in a secure manner. They have also enhanced their security measures to prevent similar breaches from occurring in the future.
To assist potentially affected individuals, MHA has provided detailed guidance on how to protect against identity theft and fraud. They recommend that consumers regularly review account statements, monitor credit reports, and remain vigilant for suspicious activity. Additionally, MHA has provided comprehensive resources and instructions for placing fraud alerts or credit freezes on credit files.
If you believe you may have been affected by this breach, MHA suggests contacting your financial institution and the major credit bureaus to inform them of the incident. You can request a free credit report by visiting AnnualCreditReport.com. For more detailed information about this incident, MHA has published a Preliminary Substitute Notice on their website.
MHA has established a dedicated toll-free phone line for individuals who have questions or concerns about the breach. Consumers can call 888-802-9364 Monday through Friday, between 9:00 a.m. and 9:00 p.m. Eastern Standard Time (excluding U.S. national holidays).