Jefferson-Blount-St. Clair Mental Health Authority
Analysis of the Jefferson-Blount Mental Health Authority ransomware attack by Medusa group affecting 30,434 individuals.
Published by the Scrutex.ai Research Team | January 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Jefferson-Blount-St. Clair Mental Health Authority
Regional mental health authority serving Jefferson, Blount, and St. Clair counties in Alabama, providing mental health, substance abuse, and intellectual disability services.
Sector
Healthcare / Mental Health
Region
United States
Date of Incident
Prior to January 2026 (exact date not disclosed)
Date Disclosed
January 2026
Estimated Impact
30,434 individuals
Data Types Exposed
Mental health services data (specific fields not publicly detailed)
Attack Type
Ransomware
Attack Vector
Ransomware deployment by Medusa group (specific initial access vector not disclosed)
Threat Actor
Medusa ransomware group
Current Status
Under investigation. HIPAA breach notification filed. Affected individuals being notified.
Severity Assessment
Critical due to data sensitivity. Over 30,000 individuals had mental health services data exposed, representing one of the most sensitive categories of health information.
What Happened
In January 2026, Jefferson-Blount-St. Clair Mental Health Authority disclosed a ransomware attack affecting 30,434 individuals. The Medusa ransomware group has been linked to the incident.
The compromised data includes mental health services data, which is among the most sensitive categories of health information. HIPAA breach notification requirements apply.
Timeline
January 2026
Jefferson-Blount-St. Clair Mental Health Authority discloses ransomware attack by Medusa affecting 30,434 individuals
Threat Actor Profile
Medusa is a ransomware group that has been active since 2021, operating a ransomware-as-a-service model with a public leak site for publishing victim data.
The group has increasingly targeted healthcare and mental health providers, recognising the heightened sensitivity and leverage that mental health data provides in extortion scenarios.
Impact and Risk Assessment
For Affected Individuals
30,434 individuals had their mental health services data exposed. Mental health data carries additional stigma and sensitivity beyond typical health information.
Exposure of mental health records can have severe personal and professional consequences, including discrimination and social stigma.
Individuals receiving substance abuse treatment may face particularly acute privacy concerns.
For Organisations
The Mental Health Authority faces HIPAA enforcement risk and potential 42 CFR Part 2 implications if substance abuse treatment records were included.
Mental health providers nationally should assess their ransomware preparedness in light of this incident.
Regulatory Context
HIPAA breach notification requirements apply. Additional protections under 42 CFR Part 2 may apply if substance abuse treatment records were compromised.
Mental health data receives heightened protection under many state laws beyond standard health information.
What Should You Do?
If You Are a Potentially Affected Individual
If you receive services from this Mental Health Authority, be alert to any unusual communications and monitor your credit reports.
Mental health records are subject to enhanced legal protections. If you believe your records have been misused, consult with a privacy attorney.
If You Are a Security or Risk Professional
Mental health providers should apply the highest levels of data protection given the enhanced sensitivity of their data. This includes encryption at rest, network segmentation, and robust backup procedures.
Consider the specific regulatory requirements for mental health and substance abuse data when designing security controls.
Learnings and Recommendations
Mental health data carries additional stigma and sensitivity beyond typical health information. Its exposure can have severe personal and professional consequences for affected individuals.
Ransomware groups continue to target mental health providers, which often have limited security investment relative to the sensitivity of the data they hold.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.