VITAS Hospice Services, LLC, the biggest hospice chain in the U.S., sent a notification to the California and Texas attorneys general regarding a data security breach that compromised sensitive patient information. An unauthorized person logged into an account utilized by a vendor and used the account to view selected Vitas systems.
VITAS discovered the security breach on October 24, 2025. The forensic investigation confirmed the unauthorized access to its network for over one month from September 21, 2025 to October 27, 2025. In that period, the unauthorized third party had viewed and downloaded the personal data of existing and past Vitas patients.
Vitas engaged a third-party cybersecurity company to look into the reason for the breach and took steps to reinforce vendor oversight and enhance its data security practices. At the time of sending notifications to the affected patients, Vitas has not received any reports of data misuse. Nevertheless, as a safety measure against identity theft and fraud, VITAS offered free credit monitoring and identity theft protection services to the affected patients for 24 months.
The breached data of individuals affected by the incident differs from one another and might include names along with a few or all these data: phone number, birth date, address, driver’s license number, Social Security number, next of kin contact details which include name, phone number and email address, diagnosis, prescription drugs, laboratory results, medical conditions, treatment data, medical insurance data, and other personal data.
The exact number of affected individuals is still unknown, since neither the California nor Texas attorneys general has announced the total number of individuals affected by the breach. The Texas Attorney General was informed that 5,633 individuals in Texas had their data impacted by the breach. The breach has likely affected more people since the company’s facilities are located in 15 U.S. states. With many facilities operated by this hospice chain, it is necessary to conduct HIPAA training for employees to ensure data protection is in place.
Image credit: Timon, AdobeStock
