Back to Blog
high severity July 01, 2026 · scope unconfirmed

tricountyhs.org Listed by incransom Ransomware Group

Flowers Early Learning (formerly known as Tri-County Head Start) is a non-profit 501(c)(3) organization providing free, high-quality early childhood education and family support services across Berrien, Cass, and Van Buren counties in Southwest Michigan. Funded by a federal grant through the Office of Head Start, the organization serves eligible families with children from birth to age five, as well as expectant mothers.

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed July 01, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On July 1, 2026, the ransomware group Incransom added tricountyhs.org to its public leak site, confirming that it had exfiltrated internal files from Flowers Early Learning, the nonprofit formerly known as Tri-County Head Start that serves families across Berrien, Cass, and Van Buren counties in Southwest Michigan.

Confirmed Facts from Reporting

Public reporting indicates the organization suffered a ransomware attack in which attackers gained access to internal systems and removed files before encrypting data. The nonprofit provides federally funded early childhood education and family support services for children from birth to age five and expectant mothers. No exact number of affected individuals has been disclosed, and the precise volume or content of the stolen files remains unclear from available reporting. The listing appeared on the Incransom leak site with a disclosure reference tied to the domain tricountyhs.org.

Why This Matters for You and Your Family

When a local nonprofit that handles enrollment forms, health records, family addresses, and contact details for young children is breached, the information can directly affect the families it serves. Internal files often contain names, dates of birth, addresses, phone numbers, and sometimes Social Security numbers for both parents and children. Once that data leaves the organization’s control, it can be sold, traded, or used to target you with identity theft, phishing, or harassment. For families with young children, the exposure creates long-term risk because a child’s records stay valuable to criminals for decades.

The Doxxing and Identity-Chain Implications

Leaked internal files frequently link an email address or phone number to a child’s name, parent’s employer, home address, and even details about daily routines. Attackers and data brokers can chain these fragments together with information from other breaches to build a complete profile. A single credential leak from this incident can cascade into gaming account takeovers if children use the same email or password on Roblox, Minecraft, or other platforms. Those compromised game accounts then become entry points for further doxxing, harassment, or social engineering against the entire household.

Incransom’s Publicly Known Track Record

Public reporting attributes Incransom with emerging in late 2024 as a ransomware operation that combines encryption with data theft and extortion. The group has listed schools, healthcare providers, and small nonprofits among its prior victims. Its typical playbook involves initial access through phishing or exploited remote desktop services, followed by exfiltration of sensitive files, deployment of ransomware, and later publication of samples on its leak site when victims do not pay. The group sets payment deadlines and gradually releases additional data to increase pressure.

What to do

  • Run a DoxxScan to map every link between your family’s emails, phones, handles, and real identities so you can see exactly what this breach connects to.
  • Rotate any password used at tricountyhs.org or Flowers Early Learning anywhere it is reused, and switch to 2FA through an authenticator app rather than text messages.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next time your information appears it is caught in hours, not months.
  • Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts which often chain back to the same leaked addresses and emails.
  • Let remediation specialists handle takedown requests across data brokers and exposed profiles while you focus on securing accounts at home.

The incident shows how quickly a local nonprofit’s breach can reach your front door and your children’s online lives. Taking concrete steps now limits how far criminals can travel down the identity chain that begins with this leak. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4B+ breach records and 100+ platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that includes children’s gaming accounts. Start your DoxxScan trial today to regain control of your family’s exposed information.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.