Active breach tracker Dallas, Texas Disclosed October 10, 2025

Visiting Nurse Association of Texas Data Breach 2025: 28,515 Home-Health, Hospice, and Meals on Wheels Recipients Exposed via Employee Email Compromise. What To Do

Visiting Nurse Association of Texas, LLC (VNA Texas) — the Dallas-based home health, hospice, palliative care, and Meals on Wheels nonprofit — filed a Hacking/IT Incident report with HHS OCR on October 10, 2025 covering 28,515 individuals after an unauthorized third party accessed employee email accounts in July 2025. The substitute notice and Texas AG filing followed on January 30, 2026, confirming exposure of Social Security numbers, driver's license numbers, dates of birth, medical information, and health insurance information. Plaintiff firms are investigating. Here is what affected patients and families should do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jul 17, 2025

VNA Texas detects unusual activity on its network; investigation confirms unauthorized third-party access to employee email accounts

Oct 10, 2025

VNA Texas files Hacking/IT Incident report with HHS OCR (28,515 affected, location of breached information listed as Email)

Jan 30, 2026

VNA Texas notifies the Texas Attorney General (11,210 Texas residents), posts substitute notice on vnatexas.org, mails individual notification letters, and publishes notice in print media

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

02

Health records

Don't expire and can't be reissued

Medical record number Diagnosis / treatment information Provider name and treatment location Prescription information

03

Contact & insurance

Phishing + targeted scams

Full name Government-issued ID number Medical information Health insurance information Subscriber / client ID number

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (publicly investigating) Shamis & Gentile P.A. (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Visiting Nurse Association of Texas, LLC is a Dallas-based nonprofit, founded in 1934, that delivers in-home health care, hospice care, palliative care, and Meals on Wheels across North Texas through roughly five branch locations. Its client population, by design, is homebound: elderly adults, terminally ill patients receiving hospice, and disabled adults dependent on caregivers and meal delivery. The 28,515-record dataset disclosed in this incident reflects that population.

Timeline

  • July 17, 2025 — VNA Texas detects unusual activity on its network. The subsequent investigation confirms that an unauthorized third party accessed sensitive personal information stored in employee email accounts.
  • October 10, 2025 — VNA Texas files a Hacking/IT Incident report with the U.S. Department of Health and Human Services Office for Civil Rights, listing 28,515 affected individuals and the location of the breached information as Email.
  • January 30, 2026 — VNA Texas posts a substitute notice on vnatexas.org, files with the Texas Attorney General (covering 11,210 Texas residents in that filing), begins mailing individual notification letters, and publishes notice in print media.

The roughly six-month gap between detection in July 2025 and individual notification in January 2026 is consistent with the mailbox-review and identity-affected workflow typical of email-account breaches, where forensic counsel must read the contents of the compromised mailboxes line by line to determine whose data is implicated.

What was exposed

Per VNA Texas’s substitute notice and the Texas AG filing, the exposed dataset includes:

  • Full name
  • Date of birth
  • Social Security number
  • Driver’s license number
  • Government-issued ID number
  • Medical information, including diagnosis / treatment information and medical record numbers
  • Health insurance information, including subscriber / client ID numbers
  • Provider name, treatment location, and admission dates
  • Prescription information

This is a full-profile combination: the SSN-plus-driver’s-license-plus-date-of-birth cluster supports new-account identity fraud, while the medical and insurance fields support medical identity theft (fraudulent claims, EOB irregularities, and prescription fraud).

The breached location on the OCR filing is Email, and the publicly available secondary reporting describes the vector as unauthorized third-party access to employee email mailboxes. That pattern is the signature of credential theft via phishing or business email compromise, although VNA Texas has not publicly confirmed the specific intrusion method.

Sensitive-population considerations

VNA Texas’s three core service lines — home health, hospice, and Meals on Wheels — converge on an elderly, frail, and often cognitively impaired population. That creates two compounding harms that are not always obvious from the headline number.

First, the affected individuals are disproportionately unable to monitor their own credit or accounts. Hospice patients are by definition at end of life; many home-health patients are recovering from acute hospitalization, living with dementia, or otherwise dependent on a family caregiver or guardian for daily decisions. Standard breach guidance (“watch your credit reports,” “review your EOBs”) assumes a level of administrative bandwidth that does not exist for a meaningful share of this class. The practical protective workload falls on adult children, spouses, guardians, and durable-power-of-attorney holders.

Second, estates and survivors are a second-order class. When a hospice patient dies after a breach but before fraud manifests, the SSN, DOB, and provider information remain valuable to identity thieves for months or years. Synthetic identities built on the records of the recently deceased are a documented fraud pattern. Family members closing out an estate should treat the decedent’s SSN as compromised and notify the Social Security Administration and the three credit bureaus accordingly.

The exposed dataset also includes hospice and palliative care diagnosis and treatment information for at least some of the class. That clinical detail (terminal diagnosis, prognosis, treatment plan) carries independent privacy weight beyond the identity-fraud risk.

Class-action posture

Two plaintiff firms have publicly opened investigations: Strauss Borrelli PLLC (announced January 30, 2026) and Shamis & Gentile P.A. No consolidated complaint or filed class action has been publicly confirmed in the sources reviewed for this page as of the lastUpdated date. ClassAction.org’s own investigation has closed without naming a filing firm, with affected individuals directed to local counsel.

The likely theories, given the fact pattern, are the standard data-breach playbook: negligence in failing to implement reasonable email-security controls (multi-factor authentication on mailboxes, conditional access, anti-phishing tooling), breach of implied contract with patients, and violations of state consumer-protection statutes including the Texas Identity Theft Enforcement and Protection Act. The hospice and elderly composition of the class is a plausible aggravating factor at the damages stage.

On the regulatory side, the OCR investigation is open. No public OCR enforcement resolution has been announced.

What to do

This week:

  1. Place a free credit freeze with Equifax, Experian, and TransUnion. For an elderly parent or spouse who is a VNA Texas patient, you can place a freeze on their behalf if you hold durable power of attorney, conservatorship, or are a court-appointed guardian. This is the single highest-leverage protection against new-account fraud.
  2. Enroll in the complimentary credit monitoring VNA Texas offered in the individual notification letter. Do not let the enrollment window lapse. For a hospice or home-health patient who cannot manage enrollment themselves, the named authorized representative on file with VNA Texas can typically enroll on their behalf.
  3. File IRS Form 14039 (Identity Theft Affidavit) to block a fraudulent tax return being filed under the affected SSN. This matters even for hospice patients: tax fraud against a decedent’s SSN in the year of death is a recurring pattern.

This month:

  1. Review Explanation of Benefits statements from Medicare, Medicaid, and any commercial insurer for services the patient did not receive. Medical identity theft against home-health and hospice records is particularly hard to detect because the underlying service utilization is already high.
  2. If the affected individual is deceased, notify the Social Security Administration, the three credit bureaus, and the IRS of the death using the official decedent procedures, and request that the credit file be flagged as “deceased — do not issue credit.”
  3. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across home-health agencies, hospices, insurers, HIEs, and prescription networks, so the demographic and insurance information exposed in this breach is not continuously re-shared and resold by other entities downstream.
  4. Watch for follow-on letters. Downstream insurers, billing vendors, and affiliated programs may issue their own notifications referencing this same incident.

This page is a summary maintained by HealthConsent and was last cross-referenced against the HHS OCR breach portal, Strauss Borrelli’s public investigation notice, ClassAction.org’s case page, and ClaimDepot’s filings summary on the date listed in lastUpdated. Specific facts in this page have been verified against the OCR portal entry and corroborated by at least one additional source.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.