There is currently no finalized class action settlement for the Counseling Center of Wayne and Holmes Counties data breach. However, multiple law firms are actively investigating claims on behalf of the 83,354 individuals whose sensitive health and personal information was compromised in a March 2025 cyberattack. If you received notice that your data was exposed in this breach—including your Social Security number, health insurance details, or medical records—you have legal options, and several firms are pursuing compensation for affected patients without requiring upfront costs.
The breach represents one of the more serious healthcare data incidents in recent years, affecting residents across Wayne and Holmes Counties in Ohio with access to sensitive medical and identity information. Unlike some data breaches that involve only names and addresses, this incident exposed the type of personal information that criminals actively seek for identity theft and fraud. Understanding your situation and your rights is critical while the legal process unfolds.
Table of Contents
- What Happened in the Counseling Center Data Breach
- What Personal Information Was Compromised
- Multiple Law Firms Are Investigating Claims
- What Victims Should Do Right Now
- Beware of Scams Targeting Breach Victims
- Timeline and Current Status of the Investigation
- What to Expect in the Coming Months
- Conclusion
What Happened in the Counseling Center Data Breach
On March 2-3, 2025, the counseling Center of Wayne and Holmes Counties, located in Wooster, Ohio, experienced a significant data breach involving unauthorized access to patient records. According to breach notifications and reporting from HIPAA Journal, an unauthorized actor gained access to the center’s systems on March 2, and on March 3, that person exfiltrated sensitive patient data. This two-stage breach—initial access followed by data theft—is typical of sophisticated cyberattacks targeting healthcare facilities.
Healthcare organizations are frequent targets for cybercriminals because patient files contain both medical information and identifiers that can be monetized for identity theft, insurance fraud, or medical fraud. The fact that the Counseling Center’s systems were compromised suggests either insufficient security measures, unpatched vulnerabilities, or successful phishing attacks that bypass staff training. The speed at which the attacker moved from access to exfiltration (within one day) indicates the breach was likely discovered relatively quickly, which limited the duration of exposure.
What Personal Information Was Compromised
The data breach exposed multiple categories of sensitive information for 83,354 people, making this one of the larger healthcare breaches in the region. Compromised information included Social Security numbers, health insurance details and member ID numbers, medical record numbers, specific diagnoses and treatment information, driver’s license or state ID numbers, names, and dates of birth. This combination of data is particularly dangerous because it provides everything needed for comprehensive identity theft—attackers have your healthcare information to file fraudulent claims and your identification documents to open accounts in your name.
The inclusion of specific diagnoses and treatment information adds a layer of vulnerability beyond standard identity theft. Mental health records, in particular, are sensitive information that many people prefer to keep private. Criminals could use this information for extortion, discrimination, or to target individuals for medical identity theft related to their specific conditions. This is a significant limitation of relying on credit monitoring services alone; they typically only monitor financial accounts, not fraudulent medical claims filed under your identity or blackmail attempts related to disclosed health conditions.
Multiple Law Firms Are Investigating Claims
As of April 2026, four major law firms are investigating potential claims on behalf of affected individuals: Lynch Carpenter LLP, Strauss Borrelli PLLC, The Lyon Firm, and For the People. Each of these firms has issued investigation notices and is actively seeking individuals who received breach notification letters from the Counseling Center. This multi-firm investigation is common in large data breaches, as different law firms may identify and represent different groups of claimants, though ultimately they may collaborate or coordinate in related litigation.
The fact that multiple respected firms are investigating is actually a positive indicator for potential claimants—it suggests there is genuine legal merit to pursue damages, and victims have options regarding which firm to work with. However, it’s important to note that as of April 2026, these firms are still in the investigation phase, meaning no settlement has been reached and no compensation amount has been determined. Victims should contact one of these firms directly to express interest in joining an investigation, but should be cautious about any unsolicited offers or guarantees of recovery.
What Victims Should Do Right Now
If you received a breach notification letter from the Counseling Center, the first step is to contact one of the investigating law firms to report your exposure. You can reach out to Lynch Carpenter LLP, Strauss Borrelli PLLC, The Lyon Firm, or For the People, and discuss your potential claim. These firms typically work on a contingency basis, meaning they only collect a fee if they successfully recover compensation—you should not be asked to pay upfront costs to join an investigation.
Beyond contacting a law firm, you should take immediate steps to protect your identity. Monitor your credit reports from all three bureaus (Equifax, Experian, and TransUnion), place a fraud alert with the bureaus, and consider freezing your credit to prevent unauthorized account openings. Watch for suspicious medical bills or insurance claims, and if you have health insurance, contact your provider to report the breach and ask them to flag your account for unusual activity. The challenge with medical identity theft is that it can take months or years to detect—an attacker might file fraudulent claims under your insurance that don’t show up on your personal credit report.
Beware of Scams Targeting Breach Victims
As with most major data breaches, scammers will attempt to exploit victims by impersonating law firms, offering fake claim filing services, or requesting payment for “assistance.” A critical warning: legitimate law firms investigating this breach will not call you unsolicited asking for payment or personal information beyond what’s already in the breach notification records. Do not provide banking information, wire money, or pay fees to anyone claiming they can expedite your claim or guarantee a settlement amount. Additionally, be cautious of websites claiming to offer claim filing services for a fee.
Reputable law firms allow victims to file claims directly at no cost. If someone contacts you via email or phone claiming to represent one of the four investigating firms but the contact came through an unsolicited message, verify directly by calling the law firm’s main office number (found through your own internet search, not through a link provided by the unsolicited contact). This verification step can save you from becoming a victim twice—once in the original breach and again through a scam targeting breach victims.
Timeline and Current Status of the Investigation
The breach was discovered and reported in early 2026, with law firms launching their investigations by mid-February 2026. The Counseling Center itself was required under HIPAA regulations to notify affected individuals of the breach, though the specific notification timeline varies. As of April 2026, the investigation remains active, meaning law firms are still gathering information, evaluating claims, and determining the scope of potential damages.
The investigation phase typically lasts several months to over a year, depending on the complexity of the case and the volume of affected individuals. During the investigation phase, no settlement negotiations are happening yet. Law firms are building their case, gathering evidence of the breach’s impact on victims, and assessing the Counseling Center’s security practices and response. This is an important distinction: you can join an investigation now, but settlement discussions and compensation amounts will only be determined later, assuming the legal claims proceed toward a settlement rather than trial.
What to Expect in the Coming Months
If a settlement is reached in this case—which remains uncertain and will depend on litigation progress—affected individuals who have joined the investigation would likely be notified and informed of their eligibility for compensation. Settlement amounts in healthcare data breaches typically range from a few hundred to several thousand dollars per victim, depending on factors like the sensitivity of the exposed data, the number of claimants, the organization’s financial liability, and court approval. However, predicting settlement amounts at this stage would be speculation; the actual compensation will be determined through the legal process.
Looking forward, victims should expect that any settlement process will require verification that they were actually affected in the breach—typically through Social Security number matching or other identity verification. If a settlement is reached, victims would need to submit a claim form, and the settlement would be divided among all eligible claimants. Given that over 83,000 people were affected, individual payouts would be split across a large pool unless there is insurance coverage or the Counseling Center has substantial assets to draw from.
Conclusion
The Counseling Center of Wayne and Holmes Counties data breach has affected over 83,000 people with the exposure of critical personal and health information. While no settlement has been finalized, multiple law firms are actively investigating claims and pursuing legal action on behalf of affected individuals.
Victims have the opportunity to join these investigations at no upfront cost and potentially recover compensation if the case proceeds to settlement. If you were affected by this breach, take action now: contact one of the investigating law firms, monitor your credit and medical activity closely, and remain vigilant against scams targeting breach victims. The legal process will take time, but joining an investigation preserves your rights to compensation and ensures you have professional representation as claims are pursued.