Active breach tracker IL Disclosed May 9, 2025

Blue Cross Blue Shield of Texas Data Breach 2025: 593 Affected · Paper/Films Unauthorized Access · IL Business Associate Filing. What To Do.

Blue Cross Blue Shield of Texas filed a second HIPAA breach notification with the HHS Office for Civil Rights on May 9, 2025, reporting 593 affected individuals in an Unauthorized Access/Disclosure event involving paper records. The filing is distinct from the larger BCBSTX/Conduent incident under Texas Attorney General investigation.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 9, 2025

HIPAA breach notification filed with HHS OCR — 593 individuals, Paper/Films, Unauthorized Access/Disclosure

Data exposed

03

Contact & insurance

Phishing + targeted scams

Protected health information contained on paper or film records (specific elements not publicly itemized on the OCR portal)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Blue Cross Blue Shield of Texas filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on May 9, 2025, reporting 593 affected individuals in an Unauthorized Access/Disclosure event involving paper or film records. The filing was submitted in BCBSTX’s capacity as a HIPAA Business Associate and is logged under Illinois, the home state of parent company Health Care Service Corporation.

This page covers the May 9, 2025 OCR filing only. It is distinct from two other 2025 BCBSTX-related incidents that have drawn separate coverage:

  • The April 13, 2025 OCR filing covering 12,086 individuals at a Health Plan location of “Other” (tracked on a separate breach page).
  • The much larger Conduent Business Services incident reported between October 21, 2024 and January 13, 2025, which affected roughly 4 million BCBSTX members through a third-party mailroom and back-office vendor and is the subject of a Texas Attorney General investigation.

The 593-individual filing on this page is a smaller, paper-records incident at the Business Associate side of BCBSTX’s operations.

Timeline

  • May 9, 2025 — HIPAA breach notification filed with HHS OCR. The filing reports 593 affected individuals, classifies the breach type as Unauthorized Access/Disclosure, and identifies the location of breached information as Paper/Films. The covered entity type is logged as Business Associate with a business associate present.

No incident, discovery, or notification dates beyond the OCR filing date have been made public for this specific entry. We update this page if BCBSTX publishes a substitute notice, files with a state attorney general, or supplies additional detail to OCR.

What was exposed

The HHS OCR portal classifies the location of breached information as Paper/Films, which indicates physical records rather than electronic systems were involved. The portal does not itemize the specific data elements exposed.

Paper-records incidents of this type typically involve one of the following root causes, though none has been confirmed for this filing:

  • Misdirected mail (e.g., a notice or document sent to the wrong recipient).
  • Improper disposal of paper records.
  • Unauthorized internal access to physical files.
  • Loss or theft of paper documents.

When BCBSTX or HCSC issues a substitute notice or a state attorney general filing, the specific data elements involved will become public and this page will be updated.

What BCBSTX is offering

No public notice describing remediation, credit monitoring, or call-center support specific to this 593-individual filing has been identified at the time of writing. For incidents of this size, individual notification letters are typically mailed directly to affected persons within 60 days of breach discovery without a separate press release or substitute notice.

If you receive a letter referencing this incident, the letter itself will describe any complimentary services BCBSTX is offering.

Class-action posture

No class action specific to the May 9, 2025 593-individual paper-records filing has been identified. Class-action attention in this matter is concentrated on the much larger Conduent incident, which is a separate event. Plaintiffs’ firms publicly investigating the Conduent matter include Strauss Borrelli PLLC and Federman & Sherwood; those investigations do not target this paper-records filing.

The Texas Attorney General’s office has demanded information from BCBSTX and Conduent in connection with the Conduent incident. That investigation is also separate from this page’s filing.

What to do if you may be affected

  • Watch for a notification letter. Because this is a smaller paper-records incident, BCBSTX’s primary contact channel will be a mailed notice to the address it has on file for you. Read the letter carefully when it arrives. It will list the specific data elements involved and any complimentary services offered.
  • If the letter offers credit monitoring or identity-restoration services, enroll. It is paid for and adds nothing to your risk profile.
  • Freeze your credit at Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft. A freeze and monitoring are complementary, not redundant.
  • Watch your Explanation of Benefits statements for charges or claims you do not recognize. Medical identity theft typically surfaces in EOBs before it appears on credit reports.
  • Do not confuse this incident with the Conduent matter. If you are part of the larger BCBSTX/Conduent population, you will receive a separate notification specific to that event. They are tracked separately by OCR and by BCBSTX.
  • Keep the notification letter. It establishes your standing in any later class action.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.