On February 18, 2025, Consultants in Pain Medicine (CPM) disclosed that a data breach occurred between June and July last year, compromising individuals’ protected health information (PHI).
Recently, CPM, a San Antonio-based healthcare provider specializing in pain management, filed a notice of data breach with the Attorney General of Texas after discovering unauthorized access to its computer network.
According to CPM, an unauthorized actor gained access to sensitive personal information, including names, Social Security numbers, dates of birth, driver’s license numbers, state identification numbers, financial account details, passport numbers, medical records, and health insurance policy information.
Following an investigation, CPM determined that the breach occurred between June 26, 2024, and July 7, 2024. On February 14, 2025, the organization began notifying affected individuals.
The CPM notification letter states, “To date, we are not aware of any reports of identity fraud or improper use of any information as a direct result of this incident.”
However, “Out of an abundance of caution, we provided written notification of this incident commencing on or about February 14, 2025, to all those potentially impacted to the extent we had a last known home address.”
HIPAA’s Breach Notification Rule mandates that healthcare organizations notify affected individuals without unreasonable delay and no later than 60 days after discovering a data breach. If a breach affects 500 or more individuals, the organization must also notify the Department of Health and Human Services (HHS) and prominent media outlets.
More specifically, CPM's seven-month delay in notifying affected individuals could result in further investigations as to whether CPM adhered to the required notification timelines and security protocols.
Go deeper: What are the HIPAA breach notification requirements
Medical records and Social Security numbers are permanent, making them especially valuable on the dark web. So, individuals affected by the CPM breach could face fraudulent medical claims, incorrect medical histories, and unauthorized use of their insurance benefits.
From a regulatory standpoint, healthcare providers must comply with HIPAA guidelines to protect patient data. Moreover, violating these regulations could result in severe fines, legal consequences, and loss of patient trust.
Learn more: How HIPAA compliance improves patient trust
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.