Nacogdoches Memorial Hospital: 2.5M Patient Records Exfiltrated in Network Intrusion

"Texas-based Nacogdoches Memorial Hospital (NMH) has confirmed that a January 2026 cyberattack against its internal network resulted in the exfiltration of detailed personal and healthcare information belonging to…"

Texas-based Nacogdoches Memorial Hospital (NMH) has confirmed that a January 2026 cyberattack against its internal network resulted in the exfiltration of detailed personal and healthcare information belonging to 2,507,073 patients. The incident, formally disclosed to the U.S. Department of Health and Human Services Office for Civil Rights, ranks among the largest US healthcare breaches reported this year and exposes patients across NMH's affiliated care network, including Care First Primary, East Texas Neurological, Memorial Family Medicine, and Stockman Pain Management.

What Happened

NMH says it detected the intrusion on January 31, 2026, after a threat actor obtained unauthorized access to internal systems and exfiltrated vast volumes of stored data. The hospital severed access upon discovery, engaged law enforcement, and launched a forensic investigation that ultimately confirmed the scope of the data theft.

The hospital has declined to publicly disclose the dwell time of the intruder, whether ransomware was deployed against its environment, or whether a ransom demand was issued in exchange for the stolen data. No threat actor has been publicly attributed to the incident as of disclosure, and no leak site claim has been confirmed. The combination of bulk exfiltration with operational silence is consistent with extortion-aligned intrusion patterns frequently observed in the US healthcare sector.

What Was Taken

NMH's investigation confirmed that the threat actor accessed and exfiltrated a particularly sensitive combination of identity, financial, and clinical data points. Affected fields include:

Patient names, residential addresses, phone numbers, and email addresses
Social Security numbers
Dates of birth
Medical record numbers and medical account numbers
Health plan beneficiary numbers
Possible photographic images of patients

With 2.5 million individuals impacted and a full identity package (PII plus SSN plus medical identifiers) exposed, the dataset is highly monetizable on criminal marketplaces and well-suited for medical identity fraud, insurance fraud, and synthetic identity creation.

Why It Matters

Healthcare remains the most consistently targeted vertical for data-extortion operations in the United States, and the NMH disclosure reinforces several uncomfortable trends for defenders. First, the breach involves a regional hospital network rather than a national system, demonstrating that adversaries continue to deeply penetrate mid-tier providers whose security investment often lags their data sensitivity. Second, the 90-plus day gap between discovery and public disclosure is in line with broader sector behavior but limits the window in which patients can take protective action.

Notably, NMH has not offered complimentary identity protection or credit monitoring services to affected patients, an unusual posture for a breach of this magnitude. Patients have instead been directed to obtain free credit reports on their own initiative, a decision likely to attract regulatory scrutiny and class-action attention.

The Attack Technique

Technical specifics of the intrusion vector have not been publicly released. However, the operational profile (unauthorized access to internal network and information systems, followed by large-scale exfiltration of structured patient records) is consistent with several common entry points observed across recent US healthcare breaches:

Compromised VPN or remote access credentials, often obtained via infostealer logs or credential stuffing
Exploitation of unpatched perimeter appliances such as firewalls, file-transfer software, or remote management tools
Phishing leading to initial foothold, followed by lateral movement to EHR-adjacent infrastructure
Third-party or managed service provider compromise cascading into the hospital environment

The hospital has stated that remediation includes network hardening, additional awareness training, and updated procedures, but has not disclosed whether multi-factor authentication, EDR coverage gaps, or identity infrastructure played a role.

What Organizations Should Do

Healthcare providers, particularly mid-sized regional networks operating multiple specialty clinics under a shared identity infrastructure, should treat the NMH disclosure as an active prompt to revalidate core controls:

Audit all external-facing access (VPN, Citrix, RDP gateways, file transfer) and enforce phishing-resistant MFA on every account, including service accounts and break-glass identities.
Hunt for infostealer-derived credentials tied to corporate email domains and clinic subsidiaries on criminal marketplaces, and force rotation for any matches.
Segment clinical and administrative networks so that compromise of a satellite clinic identity cannot pivot directly into central EHR, imaging, or billing systems.
Deploy EDR with 24x7 monitoring across endpoints and servers, with explicit detections for archive creation (7z, WinRAR, rclone) and outbound transfers to cloud storage providers.
Establish data exfiltration baselines and egress alerting for large outbound volumes, particularly to consumer cloud storage and unfamiliar geographies.
Pre-stage breach response decisions, including the policy on offering credit monitoring, so that disclosure does not become a secondary reputational incident.

Sources: teiss - News - Over 2.5 million people impacted in Nacogdoches Memorial Hospital breach