Capitol Pain Institute Data Breach 2026: 695 Pain Management Patients Exposed Across 5 States via Email Compromise. What To Do
Capitol Pain Institute, a multi-state interventional pain management practice headquartered in Colorado Springs with 16 clinics across CO, TX, IN, KY, and OH, filed an HHS OCR breach in May 2026 affecting 695 patients via an email account compromise. Specific PHI categories and remediation not yet publicly disclosed. Controlled-substance prescription history potentially in scope. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Apr 1, 2026
Attacker gained access
Apr 1, 2026
Breach detected
May 1, 2026
HHS OCR filing
Apr 1, 2026
Attacker gained access
Apr 1, 2026
Breach detected
May 1, 2026
HHS OCR filing
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Capitol Pain Institute is a multi-state interventional pain management practice headquartered at 6025 Delmonico Drive, Colorado Springs, Colorado. The practice operates 16 clinics across 5 states: Colorado (2 locations — Colorado Springs and Greenwood Village/Denver), Texas (7), Indiana, Kentucky, and Ohio. Services include epidural steroid injections, nerve blocks, radiofrequency ablation, spinal cord stimulation, and peripheral nerve stimulation. The practice follows a conservative-first protocol but scope includes controlled-substance prescribing typical of interventional pain management.
Colorado providers named publicly: Timothy V. Sandell, MD and Zach Winkler, MD.
Capitol Pain Institute filed with HHS OCR on May 1, 2026 — Hacking/IT Incident at Email — confirming 695 affected individuals. The discovery date, incident window, and individual notice mailing date have not been publicly disclosed.
The OCR classification (Hacking/IT Incident at Email) is consistent with the textbook business email compromise / phishing-driven mailbox compromise pattern. No ransomware group has publicly claimed responsibility. No dark-web leak-site listing has been observed.
Why this page is sparse
As of mid-May 2026, Capitol Pain Institute has not posted a public breach notice on capitolpain.com (homepage or Medical Records page contain no incident disclosure 14 days post-OCR filing — itself a notable compliance signal). No HIPAA Journal, Denver Post, 9News, Westword, or Colorado Springs Gazette coverage has surfaced. No Colorado AG portal listing has been verified.
Coverage is limited to plaintiff-firm investigation pages.
Why pain management breaches carry hidden risk
Like other interventional pain practices, Capitol Pain Institute is a controlled-substance-prescribing specialty under DEA scrutiny. Opioid and controlled-substance prescription history is among the most stigmatizing categories of PHI — exposure carries implications for:
- Employment background checks
- Insurance underwriting
- Professional licensing
- Child custody disputes
- Ongoing DEA prescribing-pattern surveillance
If your records include opioid or controlled-substance therapy, even partial disclosure can have outsized professional and personal consequences.
What was potentially exposed
Specific PHI categories have not been publicly itemized. ClaimDepot explicitly notes “specific types of data exposed beyond personally identifiable information have not been detailed.”
For an email-mailbox compromise at a pain-management practice, the email account likely contained a subset of:
- Full name
- Date of birth, address, contact information
- Health insurance information
- Referral letters, prior-authorization correspondence
- Imaging reports (MRI, CT) forwarded to physicians
- Controlled-substance prescription confirmations
- PDMP-related communications
- Social Security number (if billing staff use email)
Read your specific notification letter for the confirmed data elements.
What to do
- Read your specific notification letter to confirm what data elements were involved in your case and what (if any) credit monitoring is offered.
- Place free credit freezes at Equifax, Experian, TransUnion if SSN or financial information was in scope.
- If your prescription history matters professionally (employment background checks, custody, professional licensing), document the breach for potential future disputes.
- Watch your insurance Explanation of Benefits statements for unfamiliar pain-management claims.
- Stop the ongoing flow of your pain management and prescription data. HealthConsent files HIPAA restriction requests so the controlled-substance prescription and treatment data exposed in this breach is not continuously re-shared across PDMPs, PBMs, and insurance networks.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Capitol Pain Institute Homepage
- Capitol Pain Institute Colorado Springs Location
- Capitol Pain Institute Denver / Greenwood Village Location
- ClaimDepot: Capitol Pain Institute Data Breach Investigation
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.