Consultants in Pain Medicine Data Breach 2025: 1,124 Affected · Hacking/IT Incident · TX. Filed With HHS OCR. What To Do.
Consultants in Pain Medicine (TX) filed a HIPAA breach notification with the HHS Office for Civil Rights on February 16, 2025, reporting 1,124 affected individuals in a Hacking/IT Incident event at Network Server. The HHS OCR portal entry is the primary public record; further details are not yet publicly disclosed o...
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jun 26, 2024
access
Jul 7, 2024
access
Jan 17, 2025
detected
Jan 17, 2025
Breach detected
Feb 14, 2025
notified
Feb 14, 2025
Disclosed publicly
Feb 16, 2025
filed
Feb 18, 2025
filed
Jun 26, 2024
access
Jul 7, 2024
access
Jan 17, 2025
detected
Jan 17, 2025
Breach detected
Feb 14, 2025
notified
Feb 14, 2025
Disclosed publicly
Feb 16, 2025
filed
Feb 18, 2025
filed
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Consultants in Pain Medicine, a San Antonio, Texas pain management practice, disclosed that an unauthorized third party accessed its network between June 26 and July 7, 2024, and that the data of 1,124 individuals was exposed. The practice filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on February 16, 2025, classified as a Hacking/IT Incident at a network server, and notified the Texas Attorney General two days later.
Timeline
- June 26 – July 7, 2024 — Unauthorized third party accessed Consultants in Pain Medicine’s network and certain files containing patient information.
- January 17, 2025 — CPM completed its review of the affected data and identified the individuals whose information was involved.
- February 14, 2025 — Notification letters began mailing to affected patients; a substitute notice was also posted to the practice’s website.
- February 16, 2025 — HIPAA breach report filed with the HHS Office for Civil Rights (1,124 individuals; Hacking/IT Incident; Network Server).
- February 18, 2025 — Notice of data breach filed with the Texas Attorney General.
What was exposed
According to the notice and subsequent counsel write-ups, the exposed data elements include:
- Names
- Social Security numbers
- Dates of birth
- Driver’s license numbers and state identification numbers
- Passport numbers
- Financial account numbers
- Medical information
- Health insurance policy information
Affected individuals whose Social Security numbers were involved were offered complimentary credit monitoring and identity theft protection services.
Why this one is unusually sensitive
Pain medicine practice records are not just “health data.” A pain-management chart typically documents controlled-substance prescribing history, opioid dosing, urine drug screen results, and in many cases a buprenorphine, methadone, or other substance-use-disorder treatment course. That category of record is governed by 42 CFR Part 2 in addition to HIPAA, and it carries real-world consequences if it leaks: employment discrimination, custody disputes, insurance underwriting friction, and stigma in any future medical encounter. A breach that pairs a name and Social Security number with the fact that someone is a chronic-pain or SUD-adjacent patient is materially worse than a breach of the same identifiers from a general-practice clinic.
Credit monitoring offering
Individuals whose Social Security numbers were involved were offered complimentary credit monitoring and identity theft protection services through CPM’s notification letter. The notification letter is the document of record; enrollment instructions and the activation code are inside it.
Class action status
As of this update, no consolidated class action complaint has been publicly docketed. Multiple plaintiffs’ firms — including Strauss Borrelli PLLC and Console & Associates, P.C. — have announced active investigations and are soliciting affected individuals. Investigation announcements are not lawsuits; they signal that firms are gathering named plaintiffs and assessing damages theories before any complaint is filed.
What to do if you may be affected
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft when Social Security numbers are involved.
- Enroll in the offered credit monitoring if you received a letter. The activation code is single-use and tied to your record.
- Watch for medical-identity-theft signals, not just financial ones: explanation-of-benefits statements for care you did not receive, prescription denials at the pharmacy because a refill was already filled, or a new provider’s intake showing prescriptions you did not get. These are the patterns that show up after a pain-clinic breach.
- If you were in active treatment, ask CPM’s records custodian directly whether your specific chart (including controlled-substance prescribing history) was among the files accessed. The HHS portal entry covers the population; only your individual notice covers you.
- Keep your notification letter. It is the document that establishes standing if a class action is later filed and certified.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- Console & Associates, P.C. on JDSupra — confirms SSNs and other identifiers were involved; details the access window.
- Strauss Borrelli PLLC investigation — class-action plaintiffs’ firm investigation page with the data-element list and notification date.
- Console & Associates — investigation page — corroborating data-element list and notification timeline.
- Data Breach Class Action — investigation — additional confirmation of access window and exposed-data categories.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Console & Associates, P.C. (JDSupra) — Texas-Based Consultants in Pain Medicine Confirms SSNs Leaked
- Strauss Borrelli PLLC — Consultants in Pain Medicine Data Breach Investigation
- Console & Associates — Consultants in Pain Medicine Investigation
- Data Breach Class Action — Consultants in Pain Medicine Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.