Active breach tracker Texas Disclosed December 8, 2025

Vida Y Salud-Health Systems Data Breach 2025: 35,236 Crystal City FQHC Patients Exposed. What To Do

Vida Y Salud-Health Systems, Inc., a nonprofit Federally Qualified Health Center in Crystal City, Texas serving predominantly Spanish-speaking communities across Zavala, Dimmit, La Salle, and Uvalde counties, disclosed an October 2025 network intrusion. Names, Social Security numbers, driver's license numbers, medical and health-insurance information, and financial account details exposed for 35,236 individuals. Multiple plaintiffs' firms investigating. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 7, 2025

Unauthorized access to Vida Y Salud network begins

Oct 8, 2025

Suspicious activity detected; systems isolated; external forensics engaged

Dec 6, 2025

Initial patient notification letters mailed

Dec 8, 2025

HHS OCR portal submission (35,236 affected)

Jan 5, 2026

Texas Attorney General filing (34,504 Texas residents)

Jan 6, 2026

Plaintiffs' firms publicly open investigations

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

03

Contact & insurance

Phishing + targeted scams

Full name Address Medical information Health insurance information Financial account number Claim number

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Lynch Carpenter, LLP (publicly investigating; announced 2026-01-06) Strauss Borrelli PLLC (publicly investigating; announced 2026-01-06) Federman & Sherwood (publicly investigating) Mason LLP (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Vida Y Salud-Health Systems, Inc. (VSHSI) is a nonprofit Federally Qualified Health Center headquartered in Crystal City, Texas. Founded in 1972, the organization provides primary care, dental, immunization, laboratory, pharmacy, and school-based clinic services to predominantly Spanish-speaking, rural, and low-income communities across Zavala, Dimmit, La Salle, and Uvalde counties in South Texas. The October 2025 network intrusion disclosed in this incident exposed personal, medical, and financial information for 35,236 individuals per the federal regulator filing.

Timeline

  • October 7, 2025 — An unauthorized actor accesses the Vida Y Salud network. Files containing patient information are copied during the window.
  • October 8, 2025 — Suspicious activity is detected. Vida Y Salud isolates affected systems, engages third-party cybersecurity specialists, and begins notifying law enforcement and regulators.
  • December 6, 2025 — Initial individual notification letters mailed to affected patients. A toll-free assistance line opens at 833-792-0594 (Monday–Friday, 7 a.m. to 7 p.m. CST).
  • December 8, 2025 — Vida Y Salud files the HIPAA breach notification with the HHS Office for Civil Rights, reporting 35,236 affected individuals under “Hacking/IT Incident — Network Server.”
  • January 5, 2026 — Vida Y Salud files with the Texas Attorney General, listing 34,504 Texas residents affected. The OCR total includes additional residents in nearby states.
  • January 6, 2026 — Multiple plaintiffs’ firms (Lynch Carpenter, Strauss Borrelli, Federman & Sherwood, Mason LLP) publicly announce class-action investigations.

What was exposed

Per Vida Y Salud’s notice and the Texas AG filing:

  • Full name
  • Address
  • Date of birth
  • Social Security number
  • Driver’s license number
  • Medical information
  • Health insurance information
  • Financial account number
  • Claim number

Both full Social Security numbers and driver’s license numbers are in scope, which puts this incident in the high-risk identity-theft category. The presence of medical and insurance information also enables healthcare-specific fraud (claim resubmission, prescription redirection, benefits hijack).

Sensitive-population considerations

Vida Y Salud’s mission centers on Spanish-speaking, rural, federally-subsidized patient communities in the South Texas border region. For this population, the exposure carries risks beyond standard consumer identity theft:

  • Mixed-immigration-status families may face elevated exposure if SSN or driver’s-license data is misused for synthetic-identity fraud, employment fraud, or other downstream uses that surface in government databases. Affected individuals concerned about immigration consequences may want to consult an immigration attorney or trusted community organization (e.g., RAICES, MALDEF, La Unión del Pueblo Entero) before taking actions that put their information in front of new institutions.
  • Spanish-language access matters. Vida Y Salud’s substitute notice, helpline (833-792-0594), and any credit-monitoring enrollment should be available in Spanish. If you are calling on behalf of a family member with limited English proficiency, request a Spanish-speaking representative.
  • Medicaid and CHIP enrollment fraud is a real downstream risk. Claims billed under a patient’s member ID can disrupt eligibility. Watch your Medicaid Notice of Action statements and any Explanation of Benefits closely.
  • Many patients in this population do not have pre-existing credit-monitoring infrastructure or a banking relationship that flags fraud. Enrolling in the complimentary credit monitoring Vida Y Salud is offering is the highest-leverage first step.

Class-action posture

As of mid-May 2026, multiple plaintiffs’ firms have publicly opened investigations. No consolidated complaint has been independently confirmed in either the Southern District of Texas or the Western District of Texas in the sources reviewed. Federal class actions in similar FQHC breaches typically file in the district where the entity is headquartered (Crystal City is in the Western District of Texas, Del Rio Division), and consolidation in front of a single judge is common when multiple firms file in parallel.

Firms publicly investigating:

  • Lynch Carpenter, LLP
  • Strauss Borrelli PLLC
  • Federman & Sherwood
  • Mason LLP

What to do

  1. Read your specific notification letter when it arrives. It will list the data elements specific to your record and any credit-monitoring activation code.
  2. Enroll in the offered credit monitoring and identity-protection service. Use the helpline (833-792-0594) if you need help with enrollment in Spanish.
  3. Place free credit freezes at Equifax, Experian, and TransUnion. Full Social Security numbers are in scope, which is the highest-leverage threat.
  4. File IRS Form 14039 (Identity Theft Affidavit) if you see any unfamiliar tax-related activity, especially given the timing close to tax season.
  5. Watch your insurance Explanation of Benefits and Medicaid Notice of Action statements for unfamiliar claims.
  6. If immigration-status concerns apply to your household, consult a trusted immigration attorney or community organization before responding to any unsolicited follow-up communications referencing this breach.
  7. Be alert to bilingual phishing attempts referencing Vida Y Salud, your clinic, or the breach itself. Vida Y Salud will not ask you to confirm your Social Security number or financial information by phone, email, or text.
  8. Stop the ongoing flow of your community health center data. HealthConsent files HIPAA restriction requests covering FQHC, Medicaid managed care, and prescription network pathways.

Sources

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.