Nacogdoches Memorial Hospital has reported a data security incident that potentially compromised the personal and protected health information (PHI) of 257,073 individuals. The 226-bed hospital in Nacogdoches, Texas identified the breach on January 31, 2026, and determined through forensic investigation that unauthorized access began on January 15, 2026.
Scope of the Incident
The hospital confirmed that a hacker gained access to its computer network and information systems. Files containing patient information may have been accessed or acquired during the two-week period of unauthorized access. The impacted data includes names, addresses, telephone numbers, email addresses, Social Security numbers, birth dates, medical record numbers, health plan beneficiary numbers, account numbers, and, full face photo images for certain individuals.
Notification and Response
Notification letters were mailed to affected individuals on March 31, 2026. The hospital’s notice to the Maine Attorney General stated that no complimentary credit monitoring and identity theft protection services is offered. The hospital advised patients to assume their data has been compromised and to consider protective measures such as placing a fraud alert or security freeze with Equifax, TransUnion, or Experian.
The hospital reported that it has not detected misuse of the impacted data and has no indications that misuse will occur. As of April 1, 2026, no threat group has claimed responsibility for the incident.
Security Measures Implemented
In response to the breach, Nacogdoches Memorial Hospital has strengthened its information systems and computer network security. The hospital is enhancing its cyber preparedness through additional employee training and updates to its policies and procedures. Law enforcement has been informed, and the hospital has committed to assisting with any investigation.
Regulatory Considerations
The incident involves protected health information, which is subject to the requirements of the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. Covered Entities and Business Associates are required to implement safeguards to protect patient data and to notify affected individuals and regulators when breaches occur. The hospital’s notification to the Maine Attorney General and its communication with patients reflect compliance with these requirements. The absence of complimentary credit monitoring services was explicitly stated in the hospital’s notice.
