A planned class-action lawsuit against Sierra Vista Hospital & Clinics in Truth or Consequences reveals that a major data breach occurred in late January 2025, potentially exposing patients’ personal data. The breach affected residents in Texas, Massachusetts and New Hampshire, as well as New Mexico and potentially in other states as well.
Attorneys are currently investigating the potential of filing a class-action suit and are calling for individuals who received a notice from Sierra Vista Hospital & Clinics that their data was part of the breach to reach out. The notice was reportedly sent on Oct. 6 and 7, over eight months after the actual breach, which the company confirms happened between Jan. 14 and 31.
According to the hospital, the breach was discovered on Jan. 29. Following an investigation, the hospital concluded on Aug. 13 that portions of its network that included files containing personal and health data may have been accessed without authorization. The types of information potentially exposed include names and addresses, state identification and driver’s license numbers, medical information and health-insurance details. The Texas attorney general’s security breach report also lists Social Security Numbers as being potentially exposed.
Sierra Vista Hospital serves a southwestern rural community, and the breach makes it clear that cybercriminals are no longer targeting only large urban healthcare systems. With the data that may have been collected, criminals could steal patients’ identities and use it to open credit accounts, apply for loans or take out services in a victim’s name. Stolen medical records can be used to file false insurance claims or obtain medical services that will be billed to the victim. The data can even be sold online in underground markets to other criminal groups. Scammers can also use any information gathered in this way to create targeted scams that use the data to make more convincing claims.
The hospital has reportedly implemented new safeguards like improved email filtering, enhanced malware-monitoring and strengthened cybersecurity training for its employees as a response to the breach. In its notice to Massachusetts patients, the hospital has offered complimentary access to a fraud protection service and has encouraged affected patients to use its identity restoration services, but it’s unclear whether that offer is extended to New Mexican patients as well.
It also remains unclear how many New Mexican patients were involved in the breach or whether the hospital has filed a report with the Office for Civil Rights (OCR), as required by law. Sierra Vista Hospital & Clinics did not respond to a request for clarification.
Patients whose information may have been exposed are advised to protect themselves by monitoring credit and bank statements for unusual activity and reviewing insurance benefits for unfamiliar charges. They’re also advised to change passwords, enable multi-factor authentication on medical and financial accounts and consider using any identity-protection service. Anyone experiencing fraud should keep copies of all breach-related documents and file a police report.
Potential HIPAA violations can also be reported to federal or state regulators.
