Vida Y Salud-Health Systems Data Breach 2025: 35,236 Crystal City FQHC Patients Exposed. What To Do
Vida Y Salud-Health Systems, Inc., a nonprofit Federally Qualified Health Center in Crystal City, Texas serving predominantly Spanish-speaking communities across Zavala, Dimmit, La Salle, and Uvalde counties, disclosed an October 2025 network intrusion. Names, Social Security numbers, driver's license numbers, medical and health-insurance information, and financial account details exposed for 35,236 individuals. Multiple plaintiffs' firms investigating. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 7, 2025
Unauthorized access to Vida Y Salud network begins
Oct 8, 2025
Suspicious activity detected; systems isolated; external forensics engaged
Dec 6, 2025
Initial patient notification letters mailed
Dec 8, 2025
HHS OCR portal submission (35,236 affected)
Jan 5, 2026
Texas Attorney General filing (34,504 Texas residents)
Jan 6, 2026
Plaintiffs' firms publicly open investigations
Oct 7, 2025
Unauthorized access to Vida Y Salud network begins
Oct 8, 2025
Suspicious activity detected; systems isolated; external forensics engaged
Dec 6, 2025
Initial patient notification letters mailed
Dec 8, 2025
HHS OCR portal submission (35,236 affected)
Jan 5, 2026
Texas Attorney General filing (34,504 Texas residents)
Jan 6, 2026
Plaintiffs' firms publicly open investigations
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Vida Y Salud-Health Systems, Inc. (VSHSI) is a nonprofit Federally Qualified Health Center headquartered in Crystal City, Texas. Founded in 1972, the organization provides primary care, dental, immunization, laboratory, pharmacy, and school-based clinic services to predominantly Spanish-speaking, rural, and low-income communities across Zavala, Dimmit, La Salle, and Uvalde counties in South Texas. The October 2025 network intrusion disclosed in this incident exposed personal, medical, and financial information for 35,236 individuals per the federal regulator filing.
Timeline
- October 7, 2025 — An unauthorized actor accesses the Vida Y Salud network. Files containing patient information are copied during the window.
- October 8, 2025 — Suspicious activity is detected. Vida Y Salud isolates affected systems, engages third-party cybersecurity specialists, and begins notifying law enforcement and regulators.
- December 6, 2025 — Initial individual notification letters mailed to affected patients. A toll-free assistance line opens at 833-792-0594 (Monday–Friday, 7 a.m. to 7 p.m. CST).
- December 8, 2025 — Vida Y Salud files the HIPAA breach notification with the HHS Office for Civil Rights, reporting 35,236 affected individuals under “Hacking/IT Incident — Network Server.”
- January 5, 2026 — Vida Y Salud files with the Texas Attorney General, listing 34,504 Texas residents affected. The OCR total includes additional residents in nearby states.
- January 6, 2026 — Multiple plaintiffs’ firms (Lynch Carpenter, Strauss Borrelli, Federman & Sherwood, Mason LLP) publicly announce class-action investigations.
What was exposed
Per Vida Y Salud’s notice and the Texas AG filing:
- Full name
- Address
- Date of birth
- Social Security number
- Driver’s license number
- Medical information
- Health insurance information
- Financial account number
- Claim number
Both full Social Security numbers and driver’s license numbers are in scope, which puts this incident in the high-risk identity-theft category. The presence of medical and insurance information also enables healthcare-specific fraud (claim resubmission, prescription redirection, benefits hijack).
Sensitive-population considerations
Vida Y Salud’s mission centers on Spanish-speaking, rural, federally-subsidized patient communities in the South Texas border region. For this population, the exposure carries risks beyond standard consumer identity theft:
- Mixed-immigration-status families may face elevated exposure if SSN or driver’s-license data is misused for synthetic-identity fraud, employment fraud, or other downstream uses that surface in government databases. Affected individuals concerned about immigration consequences may want to consult an immigration attorney or trusted community organization (e.g., RAICES, MALDEF, La Unión del Pueblo Entero) before taking actions that put their information in front of new institutions.
- Spanish-language access matters. Vida Y Salud’s substitute notice, helpline (833-792-0594), and any credit-monitoring enrollment should be available in Spanish. If you are calling on behalf of a family member with limited English proficiency, request a Spanish-speaking representative.
- Medicaid and CHIP enrollment fraud is a real downstream risk. Claims billed under a patient’s member ID can disrupt eligibility. Watch your Medicaid Notice of Action statements and any Explanation of Benefits closely.
- Many patients in this population do not have pre-existing credit-monitoring infrastructure or a banking relationship that flags fraud. Enrolling in the complimentary credit monitoring Vida Y Salud is offering is the highest-leverage first step.
Class-action posture
As of mid-May 2026, multiple plaintiffs’ firms have publicly opened investigations. No consolidated complaint has been independently confirmed in either the Southern District of Texas or the Western District of Texas in the sources reviewed. Federal class actions in similar FQHC breaches typically file in the district where the entity is headquartered (Crystal City is in the Western District of Texas, Del Rio Division), and consolidation in front of a single judge is common when multiple firms file in parallel.
Firms publicly investigating:
- Lynch Carpenter, LLP
- Strauss Borrelli PLLC
- Federman & Sherwood
- Mason LLP
What to do
- Read your specific notification letter when it arrives. It will list the data elements specific to your record and any credit-monitoring activation code.
- Enroll in the offered credit monitoring and identity-protection service. Use the helpline (833-792-0594) if you need help with enrollment in Spanish.
- Place free credit freezes at Equifax, Experian, and TransUnion. Full Social Security numbers are in scope, which is the highest-leverage threat.
- File IRS Form 14039 (Identity Theft Affidavit) if you see any unfamiliar tax-related activity, especially given the timing close to tax season.
- Watch your insurance Explanation of Benefits and Medicaid Notice of Action statements for unfamiliar claims.
- If immigration-status concerns apply to your household, consult a trusted immigration attorney or community organization before responding to any unsolicited follow-up communications referencing this breach.
- Be alert to bilingual phishing attempts referencing Vida Y Salud, your clinic, or the breach itself. Vida Y Salud will not ask you to confirm your Social Security number or financial information by phone, email, or text.
- Stop the ongoing flow of your community health center data. HealthConsent files HIPAA restriction requests covering FQHC, Medicaid managed care, and prescription network pathways.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (35,236 affected).
- HIPAA Journal coverage — incident overview and FQHC context.
- ClassAction.org case page — plaintiffs’-side investigation.
- Bright Defense incident writeup — timeline, response measures, and helpline.
- Lynch Carpenter investigation announcement — January 6, 2026.
- Strauss Borrelli investigation — plaintiffs’ firm investigation page.
- Federman & Sherwood investigation — plaintiffs’ firm investigation page.
- Vida Y Salud-Health Systems homepage — entity background and service area.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS OCR Breach Portal
- HIPAA Journal: Vida Y Salud-Health Systems & Dublin Medical Center Confirm Data Breaches
- ClassAction.org: Vida Y Salud-Health Systems January 2026
- Bright Defense: Vida Y Salud Breach Impacts 34k
- Lynch Carpenter Investigation Announcement (GlobeNewswire)
- Strauss Borrelli: Vida Y Salud Investigation
- Federman & Sherwood: Vida Y Salud Investigation
- Vida Y Salud-Health Systems Homepage
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.