Blue Cross Blue Shield of Texas Data Breach 2025: 593 Affected · Paper/Films Unauthorized Access · IL Business Associate Filing. What To Do.
Blue Cross Blue Shield of Texas filed a second HIPAA breach notification with the HHS Office for Civil Rights on May 9, 2025, reporting 593 affected individuals in an Unauthorized Access/Disclosure event involving paper records. The filing is distinct from the larger BCBSTX/Conduent incident under Texas Attorney General investigation.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
May 9, 2025
HIPAA breach notification filed with HHS OCR — 593 individuals, Paper/Films, Unauthorized Access/Disclosure
May 9, 2025
HIPAA breach notification filed with HHS OCR — 593 individuals, Paper/Films, Unauthorized Access/Disclosure
Data exposed
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Blue Cross Blue Shield of Texas filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on May 9, 2025, reporting 593 affected individuals in an Unauthorized Access/Disclosure event involving paper or film records. The filing was submitted in BCBSTX’s capacity as a HIPAA Business Associate and is logged under Illinois, the home state of parent company Health Care Service Corporation.
This page covers the May 9, 2025 OCR filing only. It is distinct from two other 2025 BCBSTX-related incidents that have drawn separate coverage:
- The April 13, 2025 OCR filing covering 12,086 individuals at a Health Plan location of “Other” (tracked on a separate breach page).
- The much larger Conduent Business Services incident reported between October 21, 2024 and January 13, 2025, which affected roughly 4 million BCBSTX members through a third-party mailroom and back-office vendor and is the subject of a Texas Attorney General investigation.
The 593-individual filing on this page is a smaller, paper-records incident at the Business Associate side of BCBSTX’s operations.
Timeline
- May 9, 2025 — HIPAA breach notification filed with HHS OCR. The filing reports 593 affected individuals, classifies the breach type as Unauthorized Access/Disclosure, and identifies the location of breached information as Paper/Films. The covered entity type is logged as Business Associate with a business associate present.
No incident, discovery, or notification dates beyond the OCR filing date have been made public for this specific entry. We update this page if BCBSTX publishes a substitute notice, files with a state attorney general, or supplies additional detail to OCR.
What was exposed
The HHS OCR portal classifies the location of breached information as Paper/Films, which indicates physical records rather than electronic systems were involved. The portal does not itemize the specific data elements exposed.
Paper-records incidents of this type typically involve one of the following root causes, though none has been confirmed for this filing:
- Misdirected mail (e.g., a notice or document sent to the wrong recipient).
- Improper disposal of paper records.
- Unauthorized internal access to physical files.
- Loss or theft of paper documents.
When BCBSTX or HCSC issues a substitute notice or a state attorney general filing, the specific data elements involved will become public and this page will be updated.
What BCBSTX is offering
No public notice describing remediation, credit monitoring, or call-center support specific to this 593-individual filing has been identified at the time of writing. For incidents of this size, individual notification letters are typically mailed directly to affected persons within 60 days of breach discovery without a separate press release or substitute notice.
If you receive a letter referencing this incident, the letter itself will describe any complimentary services BCBSTX is offering.
Class-action posture
No class action specific to the May 9, 2025 593-individual paper-records filing has been identified. Class-action attention in this matter is concentrated on the much larger Conduent incident, which is a separate event. Plaintiffs’ firms publicly investigating the Conduent matter include Strauss Borrelli PLLC and Federman & Sherwood; those investigations do not target this paper-records filing.
The Texas Attorney General’s office has demanded information from BCBSTX and Conduent in connection with the Conduent incident. That investigation is also separate from this page’s filing.
What to do if you may be affected
- Watch for a notification letter. Because this is a smaller paper-records incident, BCBSTX’s primary contact channel will be a mailed notice to the address it has on file for you. Read the letter carefully when it arrives. It will list the specific data elements involved and any complimentary services offered.
- If the letter offers credit monitoring or identity-restoration services, enroll. It is paid for and adds nothing to your risk profile.
- Freeze your credit at Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft. A freeze and monitoring are complementary, not redundant.
- Watch your Explanation of Benefits statements for charges or claims you do not recognize. Medical identity theft typically surfaces in EOBs before it appears on credit reports.
- Do not confuse this incident with the Conduent matter. If you are part of the larger BCBSTX/Conduent population, you will receive a separate notification specific to that event. They are tracked separately by OCR and by BCBSTX.
- Keep the notification letter. It establishes your standing in any later class action.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach. Filter by covered entity name “Blue Cross Blue Shield of Texas” and breach submission date May 9, 2025 to retrieve the entry.
- Health Care Service Corporation — parent company overview — confirms HCSC is the Illinois-headquartered parent of BCBSTX, which is why the OCR record is logged under IL.
- Texas Attorney General — investigation announcement — referenced for disambiguation only; this announcement concerns the separate, much larger BCBSTX/Conduent incident, not the 593-individual paper-records filing on this page.
- Blue Cross and Blue Shield of Texas — Conduent cyber incident update — referenced for disambiguation only; covers the separate Conduent vendor incident.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Health Care Service Corporation — parent company overview
- Texas Attorney General — investigation announcement (separate, larger BCBSTX/Conduent incident)
- Blue Cross and Blue Shield of Texas — Conduent cyber incident update (separate incident, for disambiguation)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.