Sierra Vista Hospital & Clinics Data Breach 2025: 75,054 New Mexico Patients Exposed After Two-Week Network Intrusion. What To Do
Sierra Vista Hospital & Clinics, the only hospital in Truth or Consequences, New Mexico, disclosed a January 2025 network intrusion that exposed names, Social Security numbers, dates of birth, driver's license numbers, medical records, and health insurance details for 75,054 individuals. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 14, 2025
Unauthorized access to Sierra Vista Hospital network begins
Jan 29, 2025
Hospital detects unauthorized network activity and engages incident response
Jan 31, 2025
Unauthorized access window ends per forensic review
Aug 13, 2025
Forensic review concludes affected files contained PII and PHI
Oct 6, 2025
Breach reported to HHS OCR (75,054 individuals, Network Server); individual notification mailings begin; entity press release published at svhnm.org
Oct 7, 2025
Notices filed with Massachusetts and Texas attorneys general (484 Texas residents, 7 Massachusetts residents)
Oct 10, 2025
Notice filed with New Hampshire Attorney General (4 NH residents)
Nov 10, 2025
nm.news reports class-action attorneys are preparing suit
Feb 6, 2026
ClassAction.org closes its investigation and updates page to 'investigation complete' status
Jan 14, 2025
Unauthorized access to Sierra Vista Hospital network begins
Jan 29, 2025
Hospital detects unauthorized network activity and engages incident response
Jan 31, 2025
Unauthorized access window ends per forensic review
Aug 13, 2025
Forensic review concludes affected files contained PII and PHI
Oct 6, 2025
Breach reported to HHS OCR (75,054 individuals, Network Server); individual notification mailings begin; entity press release published at svhnm.org
Oct 7, 2025
Notices filed with Massachusetts and Texas attorneys general (484 Texas residents, 7 Massachusetts residents)
Oct 10, 2025
Notice filed with New Hampshire Attorney General (4 NH residents)
Nov 10, 2025
nm.news reports class-action attorneys are preparing suit
Feb 6, 2026
ClassAction.org closes its investigation and updates page to 'investigation complete' status
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Sierra Vista Hospital & Clinics, the sole community hospital serving Truth or Consequences and the surrounding rural stretch of southern New Mexico, disclosed a two-week January 2025 network intrusion that exposed protected health information for 75,054 individuals. The hospital detected the unauthorized access on January 29, 2025, completed its forensic review on August 13, 2025, and began mailing individual notification letters on October 6, 2025. That is more than eight months between intrusion and patient notice. Multiple plaintiff firms have opened class-action investigations, and Sierra Vista is providing free Experian IdentityWorks credit monitoring to affected individuals.
What happened
Sierra Vista Hospital & Clinics (SVH) is the only hospital in Sierra County, New Mexico. Located at 800 E. 9th Avenue in Truth or Consequences, it operates a 24-hour emergency department, a Rural Health Clinic, a Walk-in Clinic, general surgery consultation, and inpatient and outpatient services for a population that has few alternative providers within reasonable travel distance.
On January 29, 2025, SVH detected unauthorized access to portions of its computer network. Incident response was launched immediately, and external cybersecurity professionals were engaged. The forensic investigation determined that an unauthorized party had accessed the network between January 14 and January 31, 2025. On August 13, 2025, the review concluded that files within the affected network segment contained personal and protected health information. SVH filed its HIPAA breach report with the HHS Office for Civil Rights on October 6, 2025, listing 75,054 affected individuals and Network Server as the breach location. Individual notification mailings and state attorney general filings followed on October 6-10. No ransomware group has publicly claimed responsibility for this incident, and SVH has not attributed the intrusion to a named threat actor in any public filing reviewed.
calHIPAA’s October 2025 healthcare breach report ranked Sierra Vista as the fourth-largest breach reported that month, behind Conduent Business Services (10.5 million), Tri Century Eye Care (200,000), and Central Jersey Medical Center (88,000).
What was stolen
Sierra Vista’s official data security incident notice, published at svhnm.org on October 6, 2025, and the parallel state attorney general filings describe the following data elements as potentially exposed:
- Full name
- Address
- Date of birth
- Social Security number
- Driver’s license number or state identification number
- Medical information (treatment, diagnosis, and clinical records)
- Health insurance information
This is the broad combination — government identifier plus medical history plus insurance — that drives both medical identity theft risk and tax-refund fraud risk. SVH has stated it has no information indicating that exposed data has been used to commit fraud or identity theft as of its notification date.
What Sierra Vista is offering
Sierra Vista is providing affected individuals with complimentary access to Experian IdentityWorks credit monitoring. Identity restoration assistance is available immediately without requiring enrollment. To activate the full fraud detection tools, follow the enrollment instructions in your specific notification letter, including the activation code and enrollment deadline printed on your letter.
The dedicated call center is 855-291-2594, available for 90 days from the date of your letter, Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern time, excluding holidays.
For questions about Experian IdentityWorks specifically, contact Experian’s customer care team at 877-288-8057. A credit card is not required to enroll. Be prepared to provide the engagement number from your letter when calling Experian.
In response to the incident, SVH states it has implemented additional safeguards including increased email filtering, added malware monitoring, and enhanced cybersecurity training for staff.
Class actions
As of this update, no consolidated class action has been reported as filed in U.S. District Court for the District of New Mexico or in New Mexico state court against Sierra Vista Hospital & Clinics. Active class-action investigations have been opened publicly by Federman & Sherwood, Strauss Borrelli PLLC, and Almeida Law Group. ClassAction.org’s affiliated counsel opened an intake investigation in October 2025 and closed it in February 2026, noting that the investigation is complete and directing any remaining questions to local attorneys. Claim Depot affiliated counsel continues intake. nm.news reported in November 2025 that class-action attorneys were preparing suit and soliciting notice recipients.
The HHS OCR entry remains posted on the public portal at 75,054 individuals. OCR has not separately published an investigation or enforcement status.
Sensitive-population context: rural patients
Sierra Vista is the only hospital in Sierra County. For most patients affected by this breach, SVH is not one of several providers in their medical record. It is the provider. That concentration matters when a breach exposes the full identifier stack. Rural patients in this population are statistically more likely to have a single Social Security number tied to Medicare enrollment, more likely to receive notification through a single long-standing mailing address, and less likely to have ready access to identity protection services without significant travel. A credit freeze is the highest-leverage step for this population because it blocks new account fraud automatically, without requiring the patient to monitor every downstream channel.
What to do
The combination of Social Security number, date of birth, driver’s license number, and medical history is high-risk. Plan defenses accordingly.
- Enroll in Experian IdentityWorks using the activation code and enrollment instructions in your Sierra Vista notification letter. Call 855-291-2594 (90 days from your letter date) if you have questions about your enrollment eligibility or the scope of your coverage.
- Freeze your credit at Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new account fraud. Do this in addition to the Experian monitoring — the two protect against different attacks.
- Request an IRS Identity Protection PIN at irs.gov/ippin. When SSNs and dates of birth are exposed together, tax-refund fraud is one of the most common downstream attacks.
- Watch for medical identity theft. Request copies of your Explanation of Benefits from Medicare, Medicaid, or your private insurer. Verify every listed claim is one you recognize. Report unfamiliar claims to your insurer and to HHS OCR.
- Replace your driver’s license or state ID through the New Mexico Motor Vehicle Division if your license number was listed in your notification letter. License-number fraud is harder to detect than credit fraud and replacement is inexpensive.
- Be skeptical of unsolicited outreach referencing the breach. Threat actors routinely follow large healthcare disclosures with targeted phishing using the leaked identifiers. Sierra Vista will not ask for your Social Security number or banking information by phone or email.
- Stop the ongoing flow of your medical data. HealthConsent files HIPAA restriction requests so the clinical and insurance information exposed in this breach is not continuously re-shared across healthcare networks, clearinghouses, and data brokers. File a restriction request through HealthConsent.
Continue reading
Sources
- HHS Office for Civil Rights Breach Portal
- Sierra Vista Hospital & Clinics — Data Security Incident Notice (PDF)
- Sierra Vista Hospital & Clinics — official site
- nm.news — Class-action lawsuit looms for hospital after major data breach
- Claim Depot — Sierra Vista Data Breach Exposes SSNs & Medical Info of 75K
- ClassAction.org — Sierra Vista Hospital & Clinics Data Breach
- Strauss Borrelli PLLC — Sierra Vista Hospital & Clinics Data Breach Investigation
- Federman & Sherwood — Sierra Vista Hospital & Clinics Data Breach
- Almeida Law Group — Sierra Vista Hospital & Clinics Data Breach
- New Hampshire AG — Sierra Vista Hospital & Clinics Notice Filing (PDF)
- calHIPAA — Healthcare Data Breach Report for October 2025
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Sierra Vista Hospital & Clinics — Data Security Incident Notice (PDF)
- Sierra Vista Hospital & Clinics — official site
- nm.news — Class-action lawsuit looms for hospital after major data breach
- Claim Depot — Sierra Vista Data Breach Exposes SSNs & Medical Info of 75K
- ClassAction.org — Sierra Vista Hospital & Clinics Data Breach
- Strauss Borrelli PLLC — Sierra Vista Hospital & Clinics Data Breach Investigation
- Federman & Sherwood — Sierra Vista Hospital & Clinics Data Breach
- Almeida Law Group — Sierra Vista Hospital & Clinics Data Breach
- New Hampshire AG — Sierra Vista Hospital & Clinics Notice Filing (PDF)
- calHIPAA — Healthcare Data Breach Report for October 2025
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.