Active breach tracker IL Disclosed April 13, 2025

Blue Cross and Blue Shield of Texas Data Breach 2025: 12,086 Affected · Blue Access for Members Portal Unauthorized Access. What To Do.

Blue Cross and Blue Shield of Texas notified 12,086 members that their Blue Access for Members (BAM) portal accounts were accessed by an unauthorized third party between November 8, 2024 and March 5, 2025. BCBSTX detected the activity on February 11, 2025 and filed with HHS OCR on April 13, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 8, 2024

Unauthorized access to Blue Access for Members (BAM) accounts begins

Feb 11, 2025

BCBSTX detects unusual activity on the BAM portal

Feb 11, 2025

Breach detected

Mar 5, 2025

End of the unauthorized access window per BCBSTX

Apr 13, 2025

BCBSTX files HIPAA breach notification with HHS OCR (12,086 affected)

Apr 13, 2025

Disclosed publicly

Apr 15, 2025

Breach posted to the Texas Attorney General data breach notification database

Apr 18, 2025

BCBSTX mails individual notification letters and posts substitute notice

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Medical record numbers

03

Contact & insurance

Phishing + targeted scams

Name Address Telephone and fax numbers Email address Service dates Health plan beneficiary numbers Account numbers Medical and dental service and billing information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Blue Cross and Blue Shield of Texas (BCBSTX) notified 12,086 members that an unauthorized third party accessed their Blue Access for Members (BAM) portal accounts between November 8, 2024 and March 5, 2025. BCBSTX says it detected the activity on February 11, 2025, and filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on April 13, 2025. The Texas Attorney General’s breach notification database picked the incident up two days later, and BCBSTX began mailing individual notification letters on April 18, 2025.

This is the BAM portal incident specifically. It is a separate event from the much larger Conduent vendor breach that also affected BCBSTX members and is the subject of a separate Texas Attorney General investigation.

Timeline

  • November 8, 2024 — Unauthorized access to BAM accounts begins, per BCBSTX’s notice.
  • February 11, 2025 — BCBSTX detects unusual activity on the BAM portal.
  • March 5, 2025 — End of the access window BCBSTX has identified to date.
  • April 13, 2025 — BCBSTX files with HHS OCR, listing 12,086 affected and incident type “Unauthorized Access/Disclosure.”
  • April 15, 2025 — Breach appears on the Texas Attorney General data breach notification database.
  • April 18, 2025 — BCBSTX mails individual notification letters and publishes a substitute notice on its website.

What was exposed

BCBSTX’s notice lists the categories of information that may have been viewed in affected BAM accounts:

  • Name, address, date of birth
  • Telephone numbers, fax numbers, email addresses
  • Service dates
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Medical and dental service and billing information

Plaintiffs’ firms reviewing notification letters have additionally reported that Social Security numbers and driver’s license numbers were included for some members, though those elements are not enumerated in the public substitute notice. The exact data set per individual is listed in the personalized notification letter mailed to each affected member.

What BCBSTX is offering

BCBSTX is offering affected members a complimentary one-year membership in Experian’s IdentityWorks identity-theft detection and resolution service. Enrollment instructions and an activation code are included in each individual notification letter. BCBSTX has not publicly disclosed an extension beyond the one-year term.

Class-action status

As of this writing, multiple plaintiffs’ firms — including Strauss Borrelli PLLC and Federman & Sherwood — have publicly opened investigations into the BAM portal incident and are soliciting affected members. No consolidated class action filing tied specifically to the 12,086-member BAM incident has been confirmed on the public docket. The Conduent-related litigation is being tracked separately and is not the same case.

What to do if you may be affected

  • Read the notification letter carefully. Your letter lists the specific data elements exposed for your account, which may include items beyond the substitute notice (such as Social Security number).
  • Activate the Experian IdentityWorks coverage using the code in your letter. It is free for one year and includes credit monitoring and identity-restoration support.
  • Freeze your credit with all three nationwide consumer reporting agencies. A freeze is free, takes about ten minutes per bureau, and is the single highest-leverage step against new-account identity theft.
  • Change your Blue Access for Members password and enable any available multi-factor authentication on the account. If you reused the password elsewhere, change it on those sites too.
  • Watch your Explanation of Benefits statements for medical services you did not receive. Report anything unfamiliar to BCBSTX member services using the number on the back of your insurance card.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.