Orange County Head Start (OCHS) - SafePay Ransomware Incident     

What we know so far     

• 3 June 2025 - The ransomware group SafePay added an entry labeled ochsinc.org.com to its leak site.      
• The leak page initially displayed only a teaser screenshot but has since been updated with a downloadable 171 GB ZIP archive.      
• Preliminary analysis of the leaked material shows exposure of personally identifiable information (PII), including:      
  • 5,566 unique email addresses      
  • 251 phone numbers      
  • 459 postal addresses      
• The victim is confirmed as Orange County Head Start Inc. in Santa Ana, California, because the legitimate domain is ochsinc.org, and SafePay is known for appending an extra “.com” in victim names.      
• As of 22 June 2025, no public statement appears on the OCHS website, and no breach notice is listed on the California Attorney-General’s portal.      
• SafePay follows a double-extortion model: steal data, encrypt systems, then threaten publication if ransom isn’t paid. Past incidents suggest initial access through compromised VPN credentials or appliances.     

What we still don’t know     

• Full data scope - Beyond the counts above, it remains unclear whether Social Security numbers, health data, or other sensitive records are included.      
• Exact number of individuals affected - If more than 500 Californians are impacted, OCHS will be legally required to file a public notice; none is yet on record.      
• Negotiation status - Neither SafePay nor OCHS has commented on ransom discussions.     

Practical steps you can take now     

Parents or guardians     

• Watch for a mailed or emailed breach notice.      
• Place a free fraud alert with any credit bureau; consider a credit freeze for yourself and your child (if they have a Social Security number).      
• Treat unsolicited calls, texts, or emails “from Head Start” requesting personal information as suspicious until OCHS provides an official communication channel.     

Current or former staff     

• Change any password reused between an OCHS system and personal accounts.      
• Monitor payroll portals for unexpected direct-deposit changes.      
• Obtain your free annual credit report and enable transaction alerts on bank and credit-card accounts.     

OCHS IT / admin     

• Rotate all VPN credentials and review VPN logs from late May onward.      
• Isolate and rebuild machines that show SafePay indicators.      
• Draft breach letters and prepare the California AG sample notice so they’re ready once the breach scope is fully confirmed.     

Bottom line     

The incident has escalated from a threat-actor claim to a confirmed data leak. With email, phone, and address information for thousands of individuals now publicly available, families and staff should assume personal records are at risk and act on the precautions above while awaiting an official update from OCHS.