Three class-action lawsuits have now been filed against the Richmond Behavioral Health Authority over a data breach that occurred in September. 

All three of the suits, which have been filed separately in the U.S. District Court for the Eastern District of Virginia by former patients, claim that RBHA failed to properly safeguard the personal and health information it collected. 

The authority “failed to take necessary precautions or employ adequate measures necessary to protect its computer systems against unauthorized access,” wrote Kara Toney in the most recent suit, filed Jan. 2. 

RBHA did not respond to a request for comment on the lawsuits. 

In a December notice to potentially impacted people, RBHA said that “malicious actors gained access to RBHA’s network on or about September 29, 2025, and deployed ransomware to encrypt portions of the network.” 

“The malicious actors’ network access was terminated as soon as it was detected. There is no definitive evidence that your personal information was accessed at this time,” the authority wrote. “However, because an unknown actor gained access to our network, we are providing this notice out of an abundance of caution.” 

According to the U.S. Department of Health and Human Services’ Office of Civil Rights, which is investigating the breach, 113,232 individuals were potentially affected. 

In her lawsuit, Toney said she has experienced “a significant increase in spam calls” since the server was hacked. Shanequa Reed, who filed her lawsuit Dec. 18, said in her complaint that she had “experienced actual financial fraud” following the breach when three unauthorized charges were made to her checking account. In addition, she said she had received security alerts for attempted unauthorized logins and “a noticeable increase in nuisance communications.” 

All three lawsuits contend the authority should have taken more steps to prevent hacks, especially given the sensitive nature of the health records it preserves, and should have notified people affected more quickly. 

Federal regulations require that affected individuals be notified of a breach “without unreasonable delay and in no case later than 60 days.” The Dec. 4 notification was sent 66 days after the hack. 

People whose information was compromised “now face years of constant surveillance of their financial and personal records,” wrote Nathan Custalow-Hall. 

Toney said health records are particularly “likely to be used in detrimental ways.” 

“Health information enables thieves to go beyond traditional identity theft and obtain medical treatments, purchase prescription drugs, submit false bills to insurance companies, or even undergo surgery under a false identity,” she said in her suit. “The shelf life for this information is also much longer — while individuals can update their credit card numbers, they are less likely to change their health insurance information.”

Contact Reporter Sarah Vogelsong at svogelsong@richmonder.org