Birmingham mental health authority warns 30,000+ people of data breach

The Jefferson Blount St. Claire Mental Health Authority in Birmingham, Alabama has notified 30,434 people of a November 2025 data breach, according to a new breach disclosure by the US Department of Health and Human Services.

The breach compromised the following personal info:

  • Names
  • Social Security numbers
  • Health insurance info
  • Dates of birth
  • Medical info including:
    • Billing and claims info
    • Diagnoses
    • Physician info
    • Medical record numbers
    • Medicare/Medicaid info
    • Prescriptions and medications
    • Diagnostic and treatment info

The data was collected by the JBS Mental Health Authority between 2011 and 2025.

A ransomware group called Medusa took credit for the breach on December 23, 2025 and demanded a $200,000 ransom to destroy 168.6 GB of stolen data. To prove its claim, Medusa posted sample images of what it says are documents stolen from JBS’ servers.

Medusa lists JBS Mental Health Authority on its data leak site.
Medusa lists JBS Mental Health Authority on its data leak site.

JBS has not acknowledged Medusa’s claim. Comparitech cannot verify the authenticity of the posted data. We do not know if JBS paid a ransom or how attackers breached its network. JBS declined to comment on the record when contacted by Comparitech.

“On or around November 25, 2025, JBS learned that it was the victim of a
ransomware attack,” says JBS’ notice(PDF) to victims. “Through the investigation, it was determined that unauthorized access to the network occurred on November 25, 2025. During that time certain files may have been subject to unauthorized access and/or acquisition. The files involved could relate to certain patients or employees between the years of 2011 and 2025.”

The notice does not mention any offer of free credit monitoring or identity theft protection for victims.

Who is Medusa?

Medusa first appeared in September 2019 and debuted its leak site in February 2023, where it publishes stolen data of organizations that don’t pay ransoms. Medusa both locks down computer systems and steals data, forcing infected organizations to pay a ransom to restore systems and to not publish stolen data. The gang operates a ransomware-as-a-service scheme in which customers pay to use Medusa’s malware and infrastructure to launch attacks and collect ransoms.

In 2025, Medusa claimed responsibility for 35 confirmed ransomware attacks, plus 153 attack claims that haven’t been publicly acknowledged by the targeted organizations. The confirmed attacks compromised the personal data of 1.76 million people.

Over half of Medusa’s confirmed attacks struck healthcare providers like JBS, and those attacks account for the vast majority (1.65 million) of the group’s breach victims. Medusa demands providers pay $454,000 in ransom on average.

Pulse Urgent Care Center in California also recently started warning patients about a Medusa-claimed breach that occurred in March 2025. Following the breach, Medusa demanded $120,000 in ransom for 60.7 GB of data.

Ransomware attacks on US healthcare

Comparitech researchers logged 113 confirmed ransomware attacks in 2025 on US hospitals, clinics, and other healthcare providers. The resulting data breaches compromised the personal data of more than 8.9 million people.

Some of those attacks include:

Ransomware attacks on US hospitals, clinics, and other care providers can steal data and lock down infected computer systems. They can cripple critical systems and endanger the health, privacy, and security of patients. Infected hospitals and clinics must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk. Hospitals and clinics might resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.

About the Jefferson Blount St. Claire Mental Health Authority

The JBS Mental Health Authority in Birmingham, Alabama runs four mental health facilities in three counties: Jefferson, Blount, and St. Clair.