Baylor Scott & White Texas Spine & Joint Hospital Data Breach 2025: 1,640 Affected · Hacking/IT Incident · TX. Filed With HHS OCR. What To Do.
Baylor Scott & White Texas Spine & Joint Hospital (TX) filed a HIPAA breach notification with the HHS Office for Civil Rights on March 14, 2025, reporting 1,640 affected individuals in a Hacking/IT Incident event at Email. The HHS OCR portal entry is the primary public record; further details are not yet publicly di...
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 10, 2025
Unauthorized third party gained access to a Microsoft 365-hosted business email account
Jan 14, 2025
Unauthorized access ended (four-day access window)
Jan 15, 2025
Hospital discovered the email account compromise and launched its investigation
Mar 14, 2025
Breach reported to HHS Office for Civil Rights (1,640 individuals; Hacking/IT Incident at Email)
Mar 14, 2025
Notification letters mailed to affected individuals; public substitute notice posted on tsjh.org
Jan 10, 2025
Unauthorized third party gained access to a Microsoft 365-hosted business email account
Jan 14, 2025
Unauthorized access ended (four-day access window)
Jan 15, 2025
Hospital discovered the email account compromise and launched its investigation
Mar 14, 2025
Breach reported to HHS Office for Civil Rights (1,640 individuals; Hacking/IT Incident at Email)
Mar 14, 2025
Notification letters mailed to affected individuals; public substitute notice posted on tsjh.org
Data exposed
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Baylor Scott & White Texas Spine & Joint Hospital, a Tyler, Texas surgical hospital, reported a HIPAA breach to the U.S. Department of Health and Human Services Office for Civil Rights on March 14, 2025, affecting 1,640 individuals. The OCR portal classifies the event as a Hacking/IT Incident at Email. According to the hospital’s own substitute notice and contemporaneous reporting by KLTV, CBS19, and Becker’s Spine Review, an unauthorized third party accessed a single Microsoft 365-hosted business email account for about four days in January 2025 before the intrusion was detected and contained.
Timeline
- January 10, 2025 — Unauthorized access to a Microsoft 365 email account begins.
- January 14, 2025 — Unauthorized access ends; the access window spans four days.
- January 15, 2025 — The hospital discovers the compromise and begins its investigation with outside forensics and counsel.
- March 14, 2025 — The hospital reports the incident to HHS OCR, posts a substitute notice on tsjh.org, and mails individual notification letters to the 1,640 affected patients.
What was exposed
The hospital’s substitute notice describes the data that may have been present in the compromised mailbox. Specific elements vary by individual and not every category applies to every affected person:
- Full name, date of birth, and address
- Medical and treatment information, including dates of service, provider and facility names, and procedure codes
- Billing and claims information, including account or claim status, transaction and charge identification numbers, patient account identifiers, and payor information
The hospital states the following data elements were not involved: Social Security number, driver’s license number, credit and debit card information, bank account information, and account passwords.
What the hospital is offering
The substitute notice does not advertise complimentary credit monitoring or identity-theft protection. Because Social Security numbers and financial account data are described as not implicated, the hospital’s offering focuses on general guidance: monitoring account statements, reviewing free credit reports, and considering fraud alerts. A toll-free call center at 1-800-939-4170 was made available for 90 days after the notice for affected individuals with questions.
Class-action posture
Plaintiff-side firms including Console & Associates and Srourian Law Firm publicly announced investigations into potential class claims shortly after the March 14, 2025 notice. As of this page’s last update, no consolidated complaint or certified class has been identified in the public record; the matter remains at the pre-litigation investigation stage from the plaintiffs’ bar perspective, and the HHS OCR investigation remains open.
What to do if you may be affected
- Read your notification letter carefully. The letter sent to your address on file will list the specific data elements that appeared in your record. Hold onto it; class-action firms and any future settlement administrator will ask for it.
- Place a fraud alert or credit freeze. Even though SSNs and financial accounts are not described as involved, the dates-of-birth, addresses, and medical detail in this breach are useful inputs for medical-identity and synthetic-identity fraud. A free credit freeze with the three nationwide bureaus is the highest-leverage protective step.
- Watch your Explanation of Benefits statements. Review every EOB from your health insurer and flag any procedure, provider, or facility you do not recognize. Medical-identity theft typically surfaces in claims data before it surfaces on a credit report.
- Be wary of phishing. Treat unexpected calls, texts, or emails referencing your care at Texas Spine & Joint Hospital with suspicion. The hospital will not ask for your Social Security number or financial information over the phone in connection with this incident.
- Use the hospital’s call center while it is open. 1-800-939-4170 was set up specifically for this incident and is the fastest route to confirm whether your record was among the 1,640 affected.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record of this breach (1,640 individuals, Hacking/IT Incident, Email, reported March 14, 2025).
- Notice of Data Security Incident — the hospital’s own substitute notice describing the access window, the data categories involved, and the call-center contact.
- KLTV news report — local East Texas television coverage at the time of disclosure.
- CBS19 news report — Tyler, Texas television coverage confirming the notice.
- Becker’s Spine Review — trade-press coverage in the orthopedic and spine sector.
- JDSupra (Console & Associates P.C.) — plaintiff-firm summary including the class-action investigation posture.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Notice of Data Security Incident — Baylor Scott & White Texas Spine & Joint Hospital (tsjh.org)
- KLTV — Baylor Scott & White Texas Spine & Joint Hospital reports patient data breach
- CBS19 — Hospital notifies patients of data security incident
- Becker's Spine Review — Hospital reports patient data breach
- JDSupra (Console & Associates) — Breach Leaks Confidential Patient Information
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.