Nacogdoches Memorial Hospital investigates a 250k data breach

The Texas facility recently announced a data breach that lasted approximately two weeks.

What happened

Nacogdoches Memorial Hospital (NMH), a 226-bed hospital in Nacogdoches, Texas, was recently the victim of a data breach. According to the data breach notice, NMH became aware of the incident on January 31st, 2026, stating that they learned an unauthorized party compromised the hospital’s computer network and information systems.

NMH reported to the Attorney General of Maine that a total of 257,073 individuals were impacted. Data accessed included protected health information (PHI) like names, addresses, phone numbers, email addresses, Social Security numbers, dates of birth, medical record numbers, account numbers, and in some cases, full face photographs of patients.

Going deeper

The breach went unnoticed for approximately two weeks. According to NMH, the breach first began on January 15th and ended once NMH discovered the incident and initiated their incident response plan.

As part of their statement, NMH said, “Unfortunately, these types of cyber-attacks and security incidents have become increasingly common and even organizations with the most sophisticated IT infrastructure available are affected.” In response, NMH says they will be implementing “remediation measures” to prevent recurrence and to strengthen network security. They also said they will update procedures and provide additional awareness training.

The big picture

Like NMH noted, data breaches have become increasingly common, even when organizations take steps to secure PHI. According to a Paubox report, ransomware attacks have surged 264% since 2018, largely due to increased digitalization (most practices keep PHI documents online) and increased remote work, which can make it harder to ensure employees are following proper procedures. On top of this, AI has made threats more sophisticated and believable.

Despite the increase in attacks, organizations are still being held accountable and face significant financial repercussions. Data breach lawsuits have become the norm and the average cost of a breach settlement is $11 million. On top of this, organizations can face regulatory penalties, like Warby Parker, which faced a $1.5 million penalty. The exact ramifications for NMH aren’t yet known, but it’s likely they will have to respond to various legal accusations.

FAQs

What is an incident response plan?

An incident response plan (IRP) is an organization’s strategy for handling data breaches or other security incidents. It’s mandatory under HIPAA and usually involves the steps the organization plans to take to detect, contain, and recover from the incident.

What can malicious actors do with photos of patients?

Access to photos can present advanced risks to victims of data breaches. Hackers can potentially use images to create fake social media files or deepfakes, which may make it easier to scam friends and family or damage a victim’s reputation.

Is awareness training enough to prevent data breaches?

Awareness training is a critical part of cybersecurity, and often involves learning how to spot suspicious requests and understanding steps staff can take to keep data secure, like following the minimum necessary standard, which advises practices to only share the necessary PHI needed to complete a task.