Texas Tech University Health Sciences Center Breach Analysis — Texas Breach Tracker

Incident Date

2024-11-20

Records Exposed

1,400,000

Attack Type

Ransomware

Threat Actor

Interlock

Incident Timeline

2024-11-20

Ransomware detonated — clinical and research systems offline
2024-11-22

Interlock group claims responsibility; data published on leak site
2024-12-10

Systems progressively restored; forensic scope determined
2025-01-30

HHS OCR notification filed; 1.4M patients notified

Attack Vector Analysis

How they got in

Interlock ransomware group gained initial access via phishing targeting clinical research staff. Double-extortion: data exfiltrated to Interlock leak site prior to encryption. Both Lubbock and El Paso campuses affected, suggesting shared network infrastructure.

What CoreRecon Would Have Caught

Sentinel / Fortress / Command coverage

Sentinel 24/7 SOC with healthcare-specific threat intel: Interlock TTPs mapped to SIEM rules; C2 callback detected pre-detonation

Fortress Exfiltration detection: large outbound transfer to unknown external IP triggers DLP block and SOC alert — data theft prevented before ransomware detonation

Command HIPAA risk assessment identifies campus network architecture as high-risk single failure domain; segmentation recommended and tracked to completion

Sentinel ($89/ep/mo) — 24/7 SOC + SIEM. Fortress ($109/ep/mo) — Sentinel + EDR management + vulnerability management. Command ($129/ep/mo) — Fortress + vCISO + compliance mapping + IR plan. See full tier comparison →

Compliance Failures Mapped

Regulatory exposure

Regime	Standard / Citation	Gap Identified
HIPAA	45 CFR §164.308(a)(1)	Risk analysis — multi-campus network architecture not assessed for ransomware propagation risk
HIPAA	45 CFR §164.312(a)(1)	Access control — research staff credentials gave access to clinical systems beyond job function
TDPA	Tex. B&C Code §521.053	1.4M TX patient notification obligations triggered

How to Not Be Next

5-point hardening list

1

Campus network segmentation: Lubbock and El Paso on isolated VLANs — compromise of one campus cannot propagate to other
2

Research/clinical access separation: research staff cannot access patient clinical records — separate identity domains
3

Interlock/ransomware-specific SIEM rules: subscribe to threat intel feeds with academic health sector coverage
4

Exfiltration detection: DLP rules on large outbound transfers from clinical systems; automatic block + SOC alert
5

Immutable backup for both campuses: WORM-compliant, geographically distributed, restore-tested quarterly

Source Citations

CoreRecon cites verifiable public sources only. No speculation on unverified attribution is published. Threat actor attribution appears only where publicly confirmed by law enforcement or the organization.

More Healthcare Incidents

Is your organization hardened against this attack vector?

Free $2,500 security posture assessment for Texas organizations. We map your gaps against the same attack vectors used in this incident. No contract, no commitment.

Request Free Assessment ← Full Tracker

Texas Tech University Health Sciences CenterBreach Analysis

How they got in

Sentinel / Fortress / Command coverage

Regulatory exposure

5-point hardening list

Is your organization hardened against this attack vector?

Texas Tech University Health Sciences Center
Breach Analysis