Cyber Incident Victim: Nacogdoches Memorial Hospital
Date:
Jan 2026
Location:
United States of America
Summary
Nacogdoches Memorial Hospital reported a data breach in which threat actors accessed its internal network and obtained personal and health information of approximately 250,000 individuals. The compromised data included names, addresses, phone numbers, email addresses, Social Security numbers, dates of birth, medical record numbers, account numbers, health plan beneficiary numbers, and photographs. After discovering the incident, the hospital resecured its network, strengthened security controls, and notified law enforcement. It stated there is no evidence that the information has been misused and did not offer free identity theft or credit monitoring services to those affected. The facility operates a 226‑bed hospital providing emergency, cardiac, and surgical care.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Nacogdoches Memorial Hospital, which opened in December 1928 and operates a 226‑bed facility offering emergency care, cardiac care and surgery in Nacogdoches, Texas, reported that on January 31 a threat actor gained unauthorized access to its internal network and information systems. The hospital discovered the intrusion shortly thereafter and began an investigation. In a notification issued this week, the hospital told the Maine Attorney General’s Office that the attackers likely accessed the personal and health information of 257,073 individuals. The potentially exposed data elements include names, addresses, phone numbers, email addresses, Social Security numbers, dates of birth, medical record numbers, account numbers, health plan beneficiary numbers, and photographs.
In the letters sent to affected individuals, Nacogdoches Memorial Hospital stated that it has no evidence at this time that any of the compromised personal or health information has been misused as a result of the breach. The hospital urged those impacted to remain vigilant, monitor their financial and medical accounts, and report any suspicious activity or potential misuse of their information. Although it encouraged these precautions, the hospital did not offer free identity theft or credit monitoring services to the notified individuals. After discovering the incident, the hospital immediately resecured its computer network, implemented additional security hardening measures, and notified law enforcement agencies.
Nacogdoches Memorial Hospital did not disclose any details about the threat actor responsible for the attack, and SecurityWeek reported that no known ransomware group has claimed responsibility for the incident. The breach notification to the Maine Attorney General’s Office placed the total number of potentially affected individuals at 257,073, which aligns with the earlier figure of approximately 250,000 cited in the hospital’s initial public notice. The hospital continues to operate its 226‑bed facility and provide healthcare services while it maintains the enhanced security controls put in place after the breach.