Active breach tracker San Antonio, TX Disclosed March 26, 2026

Cullen/Frost Bankers Data Breach 2026: 4,698 Employee Health Plan Members Exposed. Distinct From the Everest Customer Breach. What To Do

Cullen/Frost Bankers, Inc., the Texas-based parent of Frost Bank, filed an HHS OCR breach on March 26, 2026 covering 4,698 employee group health plan members. This is distinct from the larger Everest ransomware breach disclosed in April 2026 that affected 100,000+ Frost Bank customers (financial data only). Limited public detail on the HIPAA filing. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Mar 26, 2026

HHS OCR filing — Hacking/IT Incident at Network Server (4,698 individuals)

Mar 26, 2026

Attacker gained access

Mar 26, 2026

Breach detected

Data exposed

01

High-risk identity

Enables financial + identity theft

Likely full name, Social Security number, health plan member ID, health insurance information (typical of group-health-plan breaches; not publicly itemized)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Cullen/Frost Bankers, Inc. is a Texas-based bank holding company, the parent of Frost Bank, with approximately 5,200 employees and headquartered in San Antonio.

On March 26, 2026, an HHS OCR breach filing was registered for Cullen/Frost Bankers — 4,698 individuals affected, classified as Hacking/IT Incident at Network Server. Because HIPAA jurisdiction attaches only to health-plan operations (not core banking), this filing almost certainly covers the company’s self-insured employee group health plan.

The affected count is consistent with a plan-participant population (Cullen/Frost has roughly 5,200 employees, and the OCR count typically includes employees plus dependents enrolled in the health plan).

This is NOT the Everest customer breach

Cullen/Frost Bankers also publicly disclosed a separate, larger breach in April 2026 in which the Everest ransomware group exfiltrated customer financial data from a third-party vendor (statement printing / tax document fulfillment). That incident:

  • Was disclosed publicly on April 20, 2026 (after the OCR filing date)
  • Affected 100,000+ Frost Bank customers
  • Exposed financial data (SSN, TIN, mortgage interest, income, investment gains, address) — not PHI
  • Triggered multiple class actions by late April 2026

The Everest customer breach is distinct from this HIPAA filing and is governed by financial-services data breach law, not HIPAA. The 4,698-individual OCR filing covers only the employee health plan members.

What was potentially exposed (HIPAA filing)

Specific data categories for the HHS OCR filing have not been publicly itemized. Group-health-plan breaches of this type typically expose:

  • Full name
  • Social Security number
  • Health plan member ID
  • Health insurance information
  • Date of birth and address

If you receive a Cullen/Frost Bankers health-plan notification letter, the letter itself will list the specific data elements involved in your case.

What Cullen/Frost is offering

Public information on response measures for the health-plan filing is limited. Read your specific notification letter carefully for credit monitoring vendor, duration, enrollment instructions, and the call-center number.

What to do

  1. Read your specific notification letter — public sources are sparse on this filing.
  2. Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
  3. File IRS Form 14039 if your SSN is confirmed in scope.
  4. If you are a Frost Bank customer, separately monitor for notifications about the Everest customer breach disclosed in April 2026 — that is a different incident with different remediation.
  5. Watch your insurance Explanation of Benefits statements for unfamiliar claims.
  6. Stop the ongoing flow of your group-health-plan data. HealthConsent files HIPAA restriction requests covering self-insured health-plan data flows.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.