Union County, Pennsylvania yesterday confirmed it notified an undisclosed number of people of a March 2025 data breach that compromised Social Security numbers, driver’s license numbers, and protected health information held by the County Children and Youth Services.
A breach disclosure on the US Department of Health and Human Services website states Union County notified 501 people, but that figure is likely just a placeholder until the total number of victims is determined.
“On March 13, 2025, the County detected ransomware on our computer network,” says Union County’s latest notice (PDF) to victims. “On March 17, 2025, as part of the ongoing investigation, we determined that the cyber criminals took certain data from our network, which included personally identifiable information. The affected information appears to be mostly related to individuals involved with County law enforcement, court related matters, and/or other County business.”
We do not know if Union County paid a ransom, how much attackers demanded, how many people are affected, or how attackers breached the county’s network. Comparitech contacted Union County officials for comment and will update this article if it replies.
“Although the investigation is still ongoing, at this time we have determined that the data may contain Social Security numbers and driver’s license numbers. During our ongoing review, we determined that protected health information (“PHI”) held by County Children and Youth Services was also impacted,” the notice says.
County officials immediately attributed (PDF) the data breach to a ransomware attack. No ransomware group has claimed responsibility for the attack as of time of writing.
The county says that once it finishes its investigation, it will offer complimentary credit monitoring services where appropriate.
Ransomware attacks on US government
Comparitech researchers have logged 24 confirmed ransomware attacks on government entities in the US in 2025 to date, compromising more than 8,500 records.
Other recent such attacks include:
- West Haven, CT notified 4,932 people of a January 2025 data breach claimed by Qilin
- Franklin County, ME notified 95 people of a January 2025 data breach
- The State Bar of Texas notified 3,012 people of a January 2025 attack claimed by Inc
- Cobb County, GA notified 10 people of a March 2025 data breach claimed by Qilin
- Abilene, TX reported an April 2025 data breach that was claimed by Qilin
- Blaine, MN reported an April 2025 data breach claimed by Qilin
On average, it takes government departments and agencies more than 4 months to notify victims of a data breach after a ransomware attack, so many attacks in 2025 have yet to be confirmed.
Ransomware attacks on US government agencies and departments can steal data and lock down computer systems. The attacker then demands a ransom to delete the stolen data and in exchange for a key to recover infected systems. If the target doesn’t pay, it could take weeks or even months to restore systems, data could be lost permanently, and people whose data was stolen are put at greater risk of fraud. Ransomware can disrupt everything from communications to billing, payroll, and online services.
About Union County, Pennsylvania
Union County is home to about 43,000 people in central Pennsylvania. The county seat is Lewisburg and its biggest city is East Buffalo Township.
Source link
-
-
-
-
-
-
-
-
