Active breach tracker Las Cruces, NM Disclosed January 23, 2025

Aprendamos Intervention Team, P.A. Data Breach 2025: 1,916 Affected · Insider Email Exfiltration · NM. Filed With HHS OCR. What To Do.

Aprendamos Intervention Team, P.A. (Las Cruces, NM) filed a HIPAA breach notification with the HHS Office for Civil Rights on January 23, 2025, reporting 1,916 affected individuals after a departing employee transferred electronic PHI to a personal email account on their last day of employment. The pediatric early-intervention provider has offered free credit monitoring to eligible clients.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 4, 2024

Unauthorized PHI transfer by departing employee

Dec 4, 2024

Internal investigation initiated

Jan 23, 2025

Filed with HHS OCR

Feb 28, 2025

Media notice and client outreach

Data exposed

03

Contact & insurance

Phishing + targeted scams

Names Dates of birth Protected health information associated with early-intervention services (per HIPAA notice)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Aprendamos Intervention Team, P.A. — a pediatric early-intervention and developmental therapy provider based in Las Cruces, New Mexico — filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on January 23, 2025, reporting 1,916 affected individuals. According to the entity’s own public notice, a departing employee transferred electronic protected health information to a personal external email account on their last day of employment on December 4, 2024. Aprendamos has characterized the incident as unauthorized internal exfiltration; it has stated it has no indication the data has been further accessed or misused by any third party.

Timeline

  • December 4, 2024 — A departing Aprendamos employee transferred electronic PHI to an external personal email account on their last day of employment. The transfer was identified through internal review the same day.
  • December 2024 – January 2025 — Aprendamos conducted an internal investigation to determine the scope of records involved and engaged outside cybersecurity counsel.
  • January 23, 2025 — Aprendamos filed a breach report with HHS OCR covering 1,916 individuals.
  • February 28, 2025 — Aprendamos issued public notice under 45 CFR § 164.406 (HIPAA media-notification requirement for breaches affecting more than 500 residents of a state or jurisdiction), began direct outreach to impacted clients and employees, and opened a dedicated hotline at (575) 323-9705.

What was exposed

Based on the entity’s own statements to local media, the data elements involved were primarily:

  • Names
  • Dates of birth
  • Protected health information associated with early-intervention services (the specific clinical fields have not been enumerated in public statements; individual notification letters identify the elements applicable to each recipient)

Aprendamos has reported the breakdown publicly as approximately 1,895 clients and 101 employees. The HHS OCR portal aggregates this as 1,916 affected individuals under a single covered-entity filing.

A sensitive population: pediatric early-intervention clients

Aprendamos is an Early Intervention (Part C of IDEA) and developmental therapy provider in southern New Mexico. Its client population is overwhelmingly children from birth to age three with diagnosed developmental delays or disabilities, along with their families. This profile makes the breach materially more sensitive than a comparable adult-population incident:

  • Records concerning minors with developmental conditions can follow a child through decades of educational, medical, and insurance interactions.
  • Dates of birth for very young children, combined with names, create a long-tail synthetic-identity risk that does not surface until the child applies for credit as a young adult.
  • Some impacted families may have additional indicators in their records (Medicaid eligibility, IFSP/IEP references, diagnostic terminology) that, even if not enumerated in the public notice, would warrant scrutiny of the individual letter when received.

What Aprendamos is offering

Per the entity’s public notice:

  • Free credit monitoring at no cost to eligible clients. The notice does not specify the credit-monitoring vendor or duration in publicly available reporting; the individual notification letter is the controlling document.
  • A dedicated hotline at (575) 323-9705 for client questions.
  • A stated commitment to a comprehensive review of security protocols and engagement with cybersecurity experts.

Class-action status

As of the date of this page, no class-action complaint against Aprendamos Intervention Team, P.A. arising from the December 2024 incident appears in the major class-action trackers (ClassAction.org, TopClassActions, DataBreachLawsuit.org). The HHS OCR entry remains open and under review.

What to do if you may be affected

  • Read your notification letter carefully. It will name the specific data elements exposed for you (or your child) and the exact terms of any credit-monitoring enrollment offered, including the activation code and deadline.
  • For affected minors: request a minor’s credit freeze from each of the three nationwide consumer reporting agencies. Freezing a child’s credit before any synthetic-identity activity begins is the single most effective protection. It is free under federal law.
  • For affected adults (employees and parents): place a credit freeze on your own files at Equifax, Experian, and TransUnion.
  • Review benefit statements — if your child receives Medicaid or commercial insurance for therapy services, watch Explanation of Benefits documents for services you did not receive.
  • Call the dedicated hotline at (575) 323-9705 with specific questions about whether you or a family member is affected.
  • Bookmark this page. We update it as the OCR matter progresses, individual notification letters surface, or any litigation is filed.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.