Data breaches at Texas hospitals compromised millions of patients’ personal health data over the past year


Boram Kim


CHRISTUS Spohn Health System sent out notifications this week to patients whose personal health information may have been breached after a sample of data allegedly stolen from its network was posted on the AvosLocker dark web leak site. 


Stay one step ahead. Join our email list for the latest news.



The data included patients’ names, dates of birth, Social Security numbers, diagnoses, and other medical information. 

In a statement, CHRISTUS Health reported the “unauthorized activity” on its computer network to authorities and said it is still reviewing the incident.

According to data from the US Department of Health and Human Services’ Office of Civil Rights (OCR), the breach at CHRISTUS Health may have affected more than 15,000 patients. 

Since July 2021, 32 health providers in Texas reported personal data breaches that affected more than 3.8 million patients with the largest breach of 1.29 million individuals being reported at Texas Tech University Health Sciences Center in June. 

Dallas-based Tenet Healthcare and its affiliate Baptist Health System reported a data breach that affected about 1.2 million of its patients in April. A class-action lawsuit filed this month in Dallas County on behalf of a Texas resident, Troy Contreras, one of about 1.2 million patients affected by the breach.

Contreras alleges the Tenet Healthcare and Baptist Health System failed to properly notify patients of the incident or take proper precautions to prevent it. The lawsuit is seeking more than $1 million in damages.

Health care data breaches continue to be a national problem. According to the HIPAA Journal, 693 such breaches affecting more than 41 million health care records occurred in the 12 months since March 2021. 

In its latest report, the Government Accountability Office (GAO) recommended that OCR set up a feedback mechanism to enhance the effectiveness of its health care data breach reporting process. 

Based on that guidance, OCR announced it will implement a feedback mechanism by adding language and contact information to the confirmation email that health care entities receive.

OCR will also request its regional offices to routinely review and respond to emails received in terms of the breach reporting process.