Integrated Pain Associates Data Breach 2026: 500+ Texas Pain Management Patients Exposed Across 7 Locations. Controlled-Substance Records in Scope. What To Do
Integrated Pain Associates (IPA), a Texas interventional pain management practice with seven locations across Central and West Texas (Killeen, Abilene, Waco, Lampasas, Temple, Odessa, Brownwood), disclosed a February 2026 network intrusion. Names, Social Security numbers, driver's licenses, controlled-substance prescription records, and financial accounts exposed. Complimentary credit monitoring offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 24, 2026
Unauthorized network access (forensically confirmed)
Apr 30, 2026
Forensic review concludes; data breach notice posted to ipaclinic.com; ~65-day gap from access to disclosure
Apr 30, 2026
Breach detected
Apr 30, 2026
Disclosed publicly
May 1, 2026
HHS OCR filing (500 placeholder; final count likely higher given 7-location footprint)
Feb 24, 2026
Unauthorized network access (forensically confirmed)
Apr 30, 2026
Forensic review concludes; data breach notice posted to ipaclinic.com; ~65-day gap from access to disclosure
Apr 30, 2026
Breach detected
Apr 30, 2026
Disclosed publicly
May 1, 2026
HHS OCR filing (500 placeholder; final count likely higher given 7-location footprint)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Integrated Pain Associates (IPA) is a Texas interventional pain management practice headquartered at 3800 SWS Young Drive, Suite 301, Killeen, TX. The practice operates seven Texas locations across Central and West Texas: Killeen, Abilene, Waco, Lampasas, Temple, Odessa, and Brownwood.
On February 24, 2026, an unauthorized actor accessed IPA’s network. The forensic review concluded on April 30, 2026, and IPA posted a data incident notice the same day. HHS OCR filing followed on May 1, 2026 — initial placeholder of 500 affected individuals (final count is likely higher given the 7-location footprint).
The ~65-day gap from access to disclosure is consistent with HIPAA’s 60-day notification clock running from the forensic conclusion rather than from the initial intrusion date.
No ransomware group has publicly claimed responsibility. No dark-web leak-site listing has been observed.
Why pain-management breaches carry hidden risk
IPA is a controlled-substance-prescribing specialty under DEA scrutiny. Opioid and controlled-substance prescription history is among the most stigmatizing categories of PHI, with consequences for:
- Employment background checks
- Insurance underwriting
- Professional licensing
- Child custody disputes
- Ongoing DEA prescribing-pattern surveillance
If your records include opioid or controlled-substance therapy, even partial disclosure can have outsized professional and personal consequences.
Fort Cavazos / military beneficiary impact: IPA’s Killeen location is adjacent to Fort Cavazos (formerly Fort Hood). TRICARE patients and military families in the region may be affected, which could trigger separate DoD notification requirements.
What was stolen
Per the entity’s data incident notice:
- Full name, home address, date of birth
- Driver’s license number
- Social Security number
- Diagnosis / condition information
- Medication information (controlled-substance Rx history implied given pain-management specialty)
- Provider name
- Other treatment information
- Health insurance information
- Financial account information
The combination of SSN + driver’s license + financial accounts + controlled-substance records is a particularly high-stakes exposure.
What IPA is offering
- Complimentary credit monitoring and identity theft protection (vendor and duration not publicly disclosed)
- Dedicated call center: 1-800-405-6108 (Monday to Friday, 8 a.m. to 8 p.m. Eastern)
- Forensic specialists engaged; law enforcement notified; additional security measures deployed
What to do
- Read your specific notification letter to confirm the data elements involved and the credit monitoring terms offered.
- Enroll in the offered monitoring through the activation code in your letter.
- Place free credit freezes at Equifax, Experian, TransUnion. Full SSN, driver’s license, and financial accounts are in scope.
- File IRS Form 14039.
- Cancel and reissue payment methods tied to financial accounts.
- Replace your driver’s license if you receive evidence of identity theft using it.
- If your prescription history matters professionally (employment background, custody, professional licensing, DEA scrutiny), document the breach for future disputes.
- If you are a TRICARE / military beneficiary treated at the Killeen location, separately contact your TRICARE region administrator about secondary protections.
- Stop the ongoing flow of your pain management records. HealthConsent files HIPAA restriction requests covering controlled-substance prescription pathways including PDMPs, PBMs, and insurance networks.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Integrated Pain Associates: Data Incident Notice
- HIPAA Journal: Data Breaches Announced by Four Healthcare Providers (May 2026)
- ClassAction.org: Integrated Pain Associates April 2026
- ClaimDepot: Integrated Pain Associates 2026
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.