West Texas Health Data Breach 2025: 73,720 Affected · Hacking/IT Incident · Abilene, TX Business Associate. Multi-State AG Filings. What To Do.
West Texas Health, PLLC — an Abilene, Texas multispecialty physician group and member of Privia Medical Group acting as a HIPAA business associate to Privia Medical Group West Texas, LLC — reported 73,720 individuals affected by a network-server intrusion between September 12 and October 3, 2025. State AG filings confirmed in 14 states. A class-action investigation is active. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Sep 12, 2025
Unauthorized access to West Texas Health's network begins (per forensic investigation).
Oct 3, 2025
West Texas Health discovers the security incident and engages external cybersecurity professionals; unauthorized access window closes.
Nov 17, 2025
Breach first reported to the Texas Attorney General — initial count 2,024 Texas residents affected.
Nov 19, 2025
Dark-web monitoring services report a possible West Texas Health data leak.
Dec 2, 2025
Breach reported to HHS OCR — 73,720 affected, Hacking/IT Incident at Network Server, Business Associate.
Dec 3, 2025
Migliaccio & Rathod LLP announces a class-action investigation of the West Texas Health data breach.
Feb 1, 2026
Privia Medical Group West Texas, PLLC begins mailing individual notification letters by U.S. mail; complimentary credit monitoring offered to those with SSN exposure. Dedicated response line 833-918-1247 activated.
Feb 6, 2026
Forensic investigation and document review conclude; West Texas Health confirms specific data elements were acquired.
Feb 23, 2026
Massachusetts Office of Consumer Affairs records breach 2026-262 — 10 Massachusetts residents affected; SSN, medical records, financial accounts, driver's license, and credit/debit numbers all confirmed breached.
Sep 12, 2025
Unauthorized access to West Texas Health's network begins (per forensic investigation).
Oct 3, 2025
West Texas Health discovers the security incident and engages external cybersecurity professionals; unauthorized access window closes.
Nov 17, 2025
Breach first reported to the Texas Attorney General — initial count 2,024 Texas residents affected.
Nov 19, 2025
Dark-web monitoring services report a possible West Texas Health data leak.
Dec 2, 2025
Breach reported to HHS OCR — 73,720 affected, Hacking/IT Incident at Network Server, Business Associate.
Dec 3, 2025
Migliaccio & Rathod LLP announces a class-action investigation of the West Texas Health data breach.
Feb 1, 2026
Privia Medical Group West Texas, PLLC begins mailing individual notification letters by U.S. mail; complimentary credit monitoring offered to those with SSN exposure. Dedicated response line 833-918-1247 activated.
Feb 6, 2026
Forensic investigation and document review conclude; West Texas Health confirms specific data elements were acquired.
Feb 23, 2026
Massachusetts Office of Consumer Affairs records breach 2026-262 — 10 Massachusetts residents affected; SSN, medical records, financial accounts, driver's license, and credit/debit numbers all confirmed breached.
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
West Texas Health, PLLC is an Abilene, Texas multispecialty physician practice and a member of Privia Medical Group’s West Texas market. The practice has served Abilene and surrounding communities for more than 50 years, formerly operating as Abilene Diagnostic Clinic, and offers primary care, internal medicine, OB/GYN, pediatrics, plastic surgery, podiatry, chiropractic, spine care, occupational health, and acute care.
On December 2, 2025, the entity reported a Hacking/IT Incident at a Network Server to the HHS Office for Civil Rights, affecting 73,720 individuals and filed as a Business Associate. Unauthorized access to the network ran from September 12 through October 3, 2025, when West Texas Health discovered the activity and engaged external cybersecurity professionals. The forensic document review concluded on February 6, 2026, and Privia Medical Group West Texas, PLLC began mailing notification letters shortly after. West Texas Health first reported the incident to the Texas Attorney General on November 17, 2025 — two weeks before the HHS OCR filing — listing 2,024 Texas residents initially affected, a figure later revised upward as the document review progressed. Aggregator tracking platforms report a total affected count of approximately 74,456 individuals once state filings were updated. No ransomware group has publicly claimed responsibility; dark-web monitoring services flagged a possible data leak on November 19, 2025.
Timeline
- September 12 – October 3, 2025 — Unauthorized actor maintains access to West Texas Health’s network (intrusion window confirmed by forensic investigation).
- October 3, 2025 — West Texas Health detects the security incident, engages external cybersecurity professionals, and the access window closes.
- November 17, 2025 — Breach first reported to the Texas Attorney General; initial count of 2,024 Texas residents listed.
- November 19, 2025 — Dark-web monitoring services report a possible West Texas Health data leak (referenced by class-action counsel; no ransomware group has publicly claimed credit).
- December 2, 2025 — Breach filed with HHS OCR: 73,720 affected, Hacking/IT Incident, Network Server, Business Associate.
- December 3, 2025 — Migliaccio & Rathod LLP publishes a class-action investigation notice for affected individuals.
- February 6, 2026 — West Texas Health confirms, after extensive forensic review, that specific protected health information was acquired in the incident.
- February 2026 — Privia Medical Group West Texas, PLLC begins mailing individual notification letters by U.S. mail. Complimentary credit monitoring is offered to individuals whose Social Security numbers were exposed. Dedicated response line 833-918-1247 is activated (Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern, excluding holidays).
- February 23, 2026 — Massachusetts Office of Consumer Affairs records breach 2026-262: 10 Massachusetts residents affected; SSN, medical records, financial accounts, driver’s license, and credit/debit numbers all confirmed.
What was exposed
Per the entity’s notice and trade-press reporting, the specific data elements varied by individual; your notification letter is the authoritative list for you. The categories confirmed exposed across the affected population include:
- First and last name.
- Social Security number.
- Driver’s license or state-issued identification number.
- Passport number, military identification, or other government-issued identification number.
- Financial account information and financial account numbers.
- Payment card information.
- Taxpayer identification number or IRS Identity Protection PIN.
- Medical history, medical diagnosis, and treatment information.
- Health insurance policy numbers, claims history, and other health insurance information.
- Username or email address combined with password or security question and answer.
The credential pair (username/email with password and security Q&A) is the most operationally urgent element: reused passwords can be replayed against email, banking, and patient-portal accounts. The IRS Identity Protection PIN is unusual to see in a healthcare breach and is high-risk for tax-refund fraud if exposed.
What West Texas Health is offering
West Texas Health is providing complimentary credit monitoring services to individuals whose Social Security numbers were exposed. Enrollment instructions and any activation code are printed inside the mailed notification letter. The specific monitoring vendor is not publicly named in the official notice.
For questions about the incident, contact the dedicated response line:
833-918-1247 (toll-free) — Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern time, excluding holidays.
Who’s notifying you (Business Associate — through Privia Medical Group West Texas)
West Texas Health, PLLC filed this breach with HHS OCR as a Business Associate. Practically, that means most affected individuals did not have a direct billing or front-desk relationship with the legal entity “West Texas Health, PLLC.” They were patients of Privia Medical Group West Texas, PLLC, the multispecialty practice that operates under the Privia Health brand in the Abilene region.
The official notice letter confirms: “This incident only occurred within West Texas Health’s network, and Privia’s network and systems were not affected by this incident.”
Concretely:
- Your notification letter may arrive on Privia Medical Group West Texas, PLLC letterhead — that is the covered-entity affiliate handling the mailings.
- Notification is by U.S. mail. There is no legitimate text-message or unsolicited-email enrollment flow for this incident; treat any such messages as phishing.
- Credit-monitoring enrollment codes are printed inside the letter. Do not enter personal information into any site reached through unsolicited email or SMS links.
State regulatory filings
West Texas Health and Privia Medical Group West Texas notified attorneys general and consumer-protection agencies in at least 14 states. Confirmed filings include California, Iowa, Maine, Massachusetts (breach 2026-262, February 23, 2026, 10 residents), Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas (first filed November 17, 2025), Vermont, Washington, and the U.S. Department of Health and Human Services. The Texas AG filing was the earliest regulatory disclosure on record for this incident, predating the HHS OCR submission by two weeks.
Class-action posture
At least two class-action firms have announced investigations of this incident:
- Migliaccio & Rathod LLP (announced December 3, 2025) is investigating claims arising from the West Texas Health data breach and invites affected individuals to contact the firm.
- Shamis & Gentile P.A. is also investigating on behalf of affected Privia Medical Group West Texas patients.
As of this writing, no consolidated class action, certified class, or proposed settlement has been published. Investigations of this kind typically lead to one or more complaints alleging failure to implement reasonable cybersecurity safeguards and delayed notification; outcomes depend on case consolidation, certification, and any future settlement. Treat any “settlement payment” outreach you receive in 2026 as suspect until you can verify it against a published case caption and a court-approved settlement website.
What to do
- Read the letter carefully. It identifies which specific data elements were exposed for you and how to enroll in the complimentary credit monitoring and identity-theft protection West Texas Health is offering for individuals with SSN exposure.
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the most effective single step against new-account fraud given the SSN, driver’s-license, and passport exposure here.
- Request an IRS Identity Protection PIN at irs.gov if yours was exposed (or rotate it through the IRS process). This is the single most important step for individuals whose IP PIN was in scope.
- Rotate any reused passwords, especially the one tied to your Privia patient-portal login or any portal that shared a password with it. Turn on multi-factor authentication on email, bank, and benefits accounts. Credential reuse is the most predictable downstream harm here.
- Watch your Explanations of Benefits for unfamiliar claims and request a one-time medical-records audit from your providers if anything looks off. Medical-identity misuse is a real risk where diagnosis, treatment, and insurance data are exposed.
- Stop the ongoing flow of your healthcare data. HealthConsent files HIPAA restriction requests so the demographic, diagnosis, and insurance data exposed in this breach is not continuously re-shared by downstream entities.
Sources
- HHS Office for Civil Rights — Breach Portal — federal regulatory record: West Texas Health, PLLC, Texas, Business Associate, 73,720 individuals affected, Hacking/IT Incident at Network Server, reported December 2, 2025.
- West Texas Health — Official Breach Notice Letter (PDF) — entity’s own notice confirming: intrusion window September 12 – October 3, 2025; PHI categories; complimentary credit monitoring for SSN-exposed individuals; dedicated response line 833-918-1247 (Mon-Fri, 9am-9pm ET).
- HIPAA Journal — Six New Healthcare Data Breaches Announced — trade-press confirmation of the discovery date (October 3, 2025), intrusion window (September 12 – October 3, 2025), document-review conclusion (February 6, 2026), the 73,720 figure, the enumerated data elements, and the credit-monitoring offering.
- Migliaccio & Rathod LLP — West Texas Health Data Breach Investigation — class-action investigation notice (December 3, 2025); reports the November 19, 2025 dark-web monitoring signal.
- ClaimDepot — Privia Medical Group / West Texas Health Data Breach — aggregator listing updated to 74,456 total affected; lists 14 state AG portals where filings were submitted including Texas AG (November 17, 2025), Massachusetts, Maine, California, Oregon, and others; notes Shamis & Gentile P.A. investigation.
- Massachusetts Office of Consumer Affairs — Breach 2026-262 West Texas Health PLLC — state-level filing: 10 Massachusetts residents affected, filed February 23, 2026; SSN, medical records, financial accounts, driver’s license, and credit/debit numbers all confirmed breached.
- Massachusetts AG — Data Breach Notification Letters February 2026 — index page confirming the 2026-262 West Texas Health PLLC listing with 256.45 KB notice letter.
- Privia Medical Group — West Texas Market Page — confirms Privia Medical Group West Texas, PLLC’s services and Abilene-area footprint; names Thomas Headstream, MD as CEO and confirms West Texas Health PLLC is a member practice.
- West Texas Health — About Us — entity homepage confirming the West Texas Health, PLLC corporate identity, 50-year history (formerly Abilene Diagnostic Clinic), and affiliation context.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights — Breach Portal
- HIPAA Journal — Six New Healthcare Data Breaches Announced (West Texas Health detail)
- Migliaccio & Rathod LLP — West Texas Health Data Breach Investigation
- ClaimDepot — Privia Medical Group / West Texas Health Data Breach (updated total: 74,456 affected; 14 state AG filings listed)
- Privia Medical Group — West Texas Market Page
- West Texas Health — About Us
- West Texas Health — Official Breach Notice Letter (PDF) confirming PHI categories and 833-918-1247 response line
- Massachusetts Office of Consumer Affairs — Breach 2026-262 West Texas Health PLLC (10 MA residents; SSN, medical, financial, driver's license, credit/debit all breached)
- Massachusetts AG — Data Breach Notification Letters February 2026 (2026-262 listing)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.