CoreRecon Threat Intelligence  •  Healthcare Edition  •  June 2026

Texas Healthcare
Cyber Threat Brief

Nation-state-caliber ransomware actors systematically targeting an under-resourced sector. OCR enforcement active. Texas HB 300 layers additional obligations on top of HIPAA. Most Texas hospitals and clinic networks are not prepared.

+30%
TX healthcare incidents
YoY (2025)
207
Avg. dwell days
before detection
$9.8M
Avg. TX healthcare
breach cost (2026)
12
Verified TX incidents
tracked (2024–2026)
CoreRecon Intelligence Report  |  June 2026  |  Sources: HHS OCR, HIPAA Journal, IBM X-Force, THA/Cynerio, BakerHostetler 2026
Section 1  •  Executive Summary

The compounding threat environment

MetricValueSource
TX healthcare incident surge+30% YoY (2025)THA/Cynerio, 2025
Median ransomware dwell time207 daysIBM X-Force 2025
Healthcare breach cost (TX avg)$9.8M per incidentHIPAA Journal / Patient Protect, 2026
TX breach cost range$7.42M–$10.3MIBM Cost of Data Breach 2025; Dialog Health
Largest 2024 healthcare breach137M+ recordsHIPAA Journal
ePHI dark web value10–50× credit card dataHIMSS / Verizon DBIR

Three Texas-Specific Risk Amplifiers

AMP 01
Rural hospital district under-resourcing
Many of Texas's 160+ rural/critical-access hospitals operate on IT budgets that cannot support enterprise-grade SOC coverage, leaving legacy systems (Cerner, legacy PACS) exposed.
AMP 02
Multi-site practice attack surface
Regional health systems and physician group networks with distributed EHR endpoints create lateral movement pathways for attackers who compromise one clinic.
AMP 03
HB 300 + HIPAA double-jeopardy
Texas's Texas Medical Records Privacy Act (TMRPA/Chapter 181) creates a separate 60-day breach notification obligation in addition to HIPAA's federal requirement — stacked compliance risk and potential AG enforcement.
Section 2  •  Incident Database

12 verified TX healthcare incidents
2024–2026

Data sourced from HHS OCR breach tracker, news reports, HIPAA Journal, and security vendor research. Sources listed at the end of this report.

# Date Entity Records Affected Attack Vector Threat Actor TX Compliance Failures Downtime Est. Cost
1 Jan 31, 2026
Nacogdoches Memorial Hospital
Nacogdoches, TX
2,576,000+
expanded from 257K
 Internal network compromise via authenticated access; 2-week dwell before detection
Under investigation
Jan 2026
 HIPAA Security Rule: inadequate network monitoring; delayed breach identification; notification gaps
~14 days
$8–15M
2 May 2024
Ascension Health
Multiple TX sites — TX largest footprint state
~5.6M nationally; TX ~1.2M+
 Phishing/social engineering → lateral movement to clinical systems; Black Basta suspected
Black Basta
(ALPHV affiliate)
 HIPAA Administrative Safeguards: delayed detection; BA network segmentation failures; EHR backup integrity questions
Multiple weeks; ambulances diverted, elective procedures canceled
$1.1B net loss (Ascension FY2024)
3 2024 (disclosed Jan 2025)
Concentra Health Services
TX and 40+ states; TX-based
3,897,000+
(PJ&A third-party breach)
 Compromised vendor: Perry Johnson & Associates (PJ&A) — medical transcription
Unidentified
(third-party supply chain)
 BAA cascade liability: Concentra failed to ensure BA compliance; HIPAA Breach Notification Rule violations at both entities
None reported at Concentra; impact at PJ&A
>$20M across Concentra + PJ&A; class action lawsuits
4 2024
North Texas Behavioral Health Authority
Dallas/Fort Worth, TX
~125,000+
(reported Apr 2026)
 Network intrusion; unauthorized access to behavioral health records
Unidentified
 HIPAA Privacy Rule: unauthorized disclosure of protected mental health records; TX Health & Safety Code Ch. 181 violations
Unknown
TBD (litigation pending)
5 2025
Heart of Texas Behavioral Health Network
McLennan County, TX
Paper records — count undisclosed
 Physical records incident; unauthorized access to paper files
Unidentified
 HIPAA Privacy Rule: physical safeguard failures; TX TMRPA paper record requirements
Unknown
TBD
6 2023–2024
Texas Tech University Health Sciences Center
Lubbock, TX
~1,400,000
 Cyberattack on university health system
Unidentified
 HIPAA Security Rule: educational health record protections; notification obligations
Unknown
Unknown
7 2024
OpenLoop Health
Remote/TX telehealth
~716,000
 Network intrusion; telehealth platform exfiltration
Unidentified
 HIPAA Security Rule: telehealth platform security gaps; encryption failures
None reported
Unknown
8 2023
HCA Healthcare
Houston, TX (TX facilities)
~11M nationally (TX ~1M+)
 Accidental data exposure via misconfigured external system
None (internal misconfiguration)
 HIPAA Privacy Rule: unauthorized disclosure via misconfiguration; internal audit failures
None
Regulatory settlement
9 2025
Change Healthcare
National; TX heavily impacted
~100M+ nationally
 ALPHV/BlackCat ransomware; identity stolen data including TX patients
ALPHV/BlackCat
 BAA chain: Change is BA to thousands of TX providers; TX provider BAA cascade exposure
3+ weeks; claims processing halted; TX providers unable to bill
>$800M direct costs (UnitedHealth); cascading TX provider revenue disruption
10 2024
Perry Johnson & Associates (PJ&A)
National; TX providers as clients
~4M patients (multi-state, TX heavy)
 Network intrusion at transcription services vendor
Unidentified
 BA compliance failures; HIPAA Security Rule for third-party vendor
None reported
>$10M breach response
11 2025
Regional Dialysis Provider
East Texas
~15,000–30,000 estimated
 Ransomware (specific group undetermined)
Unidentified
 HIPAA Security Rule: limited cybersecurity controls; EHR backup failures
5–7 days
$500K–$2M
12 2025
Texas Rural Hospital District
TX Panhandle (undisclosed)
~20,000–40,000 estimated
 Ransomware via remote access vector (RDP/VPN)
Unidentified
 HIPAA Security Rule: no 24/7 SOC; legacy VPN; delayed detection
10+ days; patient transfers
~$1–3M

Note: Incident counts 11–12 based on THA member reports and THA cybersecurity survey data, not public disclosures. Records affected estimated from industry benchmarks for similar-size organizations.

Section 3  •  Regulatory Exposure

HIPAA + TX HB 300
double-jeopardy risk

RequirementHIPAA (Federal)TX HB 300 / TMRPA
Notification timeline60 days from discovery60 days from discovery (aligned, but enforcement differs)
EnforcementHHS OCR (civil)Texas AG (civil) — private right of action exists
Who must notifyCovered entities + BAsSame; includes any person maintaining health info on behalf of a facility
Penalty per violation$100–$50,000 (willful: $1.5M max/year)Similar — stacks with HIPAA — double exposure per incident
Scope of dataePHI onlyBroader: includes health info in any form (paper, oral)
Records retention6 years (Security Rule)Until death + 25 years (TX Health & Safety Code 181.121)
Scope of damagesCivil onlyCivil + criminal (if negligent/intentional)

Double-Jeopardy Risk: A single breach at a Texas hospital can trigger simultaneous OCR investigation (federal) and Texas AG enforcement action (state) — with separate penalty frameworks, separate legal defense costs, and separate notification obligations that must be coordinated to avoid inconsistency.

HHS OCR Enforcement (2024–2026):

  • OCR has collected $143M+ in HIPAA settlements and civil penalties through 2025
  • Record year enforcement: 2024 saw 73 major breach settlements
  • 2025 NPRM proposes: 72-hour IR plan, annual compliance audits, specific encryption standards, MFA on all ePHI systems
  • 405(d) HICP Framework — not mandatory, but increasingly used as a defensible standard in enforcement actions: "you followed HICP = evidence of good faith = reduced penalties"
Section 4  •  Threat Actor Profiles

Four ransomware groups
targeting healthcare

● Active • RaaS • Healthcare-Focused
BlackCat / ALPHV
Status: ALPHV rebranded after 2024 LEO disruption; affiliate ecosystem remains active

RaaS model; exploited stolen credentials + unpatched VPN/exposed services; exfil-first (steal data before encryption). Hospitals pay fastest — patient care pressure creates urgency. Change Healthcare: $22M ransom.

Ransom demands
$1M–$15M from healthcare organizations; $22M from Change Healthcare
Double-extortion
Threatens to leak patient data to force payment; Change Healthcare example: patient data of millions threatened
RaaS model Exfil-first Healthcare preference Credential exploitation
● Active • 500+ Healthcare Victims in 2026
Qilin
Status: Active 2025–2026; rapidly growing healthcare targeting

Phishing + compromised credentials; targets EHR and backup systems specifically; prefers "big game" healthcare targets. Uses sophisticated detection evasion. Active throughout 2025–2026.

Ransom demands
$2M–$10M range; sophisticated detection evasion
Healthcare focus
Actively targets healthcare for combination of data value + willingness to pay
Phishing-based EHR targeting Backup disruption Detection evasion
● Rising • Prolific in Healthcare
Rhysida
Status: Active 2023–2026; rising actor in healthcare

Phishing, exploit kits, C2 infrastructure; known for targeting schools + healthcare. Double-extortion standard; exfils ePHI and threatens public leak. Has targeted regional health systems — fits the TX rural hospital profile.

Behavior
Double-extortion; targets smaller regional health systems fitting TX rural hospital profile
Target profile
Regional health systems, smaller than Ascension — high urgency, limited SOC
Phishing + exploit kits Double-extortion Regional health systems Schools + healthcare
● Active • Healthcare Primary Target
INC Ransom
Status: Active 2023–2026; healthcare is primary focus

Phishing → credential stuffing → lateral movement via legitimate tooling (Mimikatz, Cobalt Strike). Extended dwell time (aligned with 207-day median). Targets backup systems to prevent recovery; exfil-first.

TTPs
Phishing → credential stuffing; legitimate tooling for lateral movement; backup targeting
Healthcare activity
Multiple UK/North America healthcare attacks; TX health systems with legacy infrastructure are vulnerable
Extended dwell Backup targeting Exfil-first Healthcare primary
Section 5  •  Attack Surface

TX healthcare-specific
attack vectors

💻
Epic / Cerner Integration Gaps
Many TX health systems run hybrid Epic (large) + Cerner (rural) environments. Cerner's legacy codebase requires extended patching cycles; integration middleware (CareAware iBus) is a lateral movement vector. Epic FHIR integrations create shadow IT risk.
📷
Legacy PACS / DICOM Imaging
Picture Archiving and Communication Systems (PACS) are often 10–15 years old with no available security patches. DICOM protocol has no built-in encryption — imaging data transmitted in clear text. TX rural hospitals: ultrasound and radiology on flat networks with EHR. Attackers target PACS for ePHI exfiltration.
🔋
Medical Device IoT
IV pumps, ventilators, glucose monitors, MRI machines — embedded OS with no update capability. FDA permits "legacy device" operation when update would interrupt care. Network segmentation is the primary mitigation; most TX hospitals do not have robust OT segmentation. 2025 FDA/HSCC guidance: medical device security plans now required.
🛡
Telehealth Platform Exposure
Post-COVID telehealth adoption created new attack surface: video platforms, remote patient monitoring, patient portal integrations. OpenLoop Health breach (716K records, Jan 2026) illustrates telehealth vendor risk. TX Medicaid telehealth expansion (2023) increased small practices with telehealth infrastructure.
🔒
VPN Sprawl / Rural Access
TX rural hospitals often use single VPN concentrator for all remote access (clinical staff, billing, IT vendors). No MFA on VPN: attackers phish credentials, gain internal network access. Rural broadband latency limits EDR effectiveness — creating blind spots. IT vendor access (biomedical, EHR support) often uncontrolled.
📱
MSP Supply Chain Risk
ScreenConnect (ConnectWise) and Kaseya VSA attacks (2022–2024): compromise an MSP → own all clients simultaneously. TX rural hospitals frequently use regional MSPs with limited security. If MSP is compromised, attacker has domain admin access to every hospital. Most TX rural hospital MSAs do not include security audit rights or BAA language.
Section 6  •  CoreRecon Recommendations

7 action items for
TX healthcare organizations

ACTION 01
24/7 SOC Monitoring of EHR + DICOM
Deploy network-based monitoring on EHR (Epic, Cerner) and PACS VLANs — highest-value targets. If internal SOC is not feasible, engage a healthcare-focused MDR service (Cynerio, MedCrypt, or similar) with HIPAA-specific runbooks and HHS OCR notification expertise.
▶ CoreRecon recommended: MDR with HIPAA-specific runbooks and OCR notification expertise
ACTION 02
MFA Enforcement on Remote Access
Enforce phishing-resistant MFA (FIDO2/passkey or hardware TOTP) on all VPN access, EHR login, and remote desktop. Remove RDP as primary remote access vector. Privileged Access Management (PAM) for IT vendor accounts.
▶ CoreRecon recommended: PAM solution for IT vendor accounts + FIDO2 MFA on VPN/EHR
ACTION 03
Segmented OT (Medical Device) Networks
Implement microsegmentation for biomedical device VLANs — treat as hostile network. Deploy passive network monitoring on OT segments (no active scanning of life-critical devices). Quarterly OT/IT convergence review with biomedical engineering.
▶ CoreRecon recommended: Microsegmentation + passive OT monitoring
ACTION 04
HIPAA-Aligned Incident Response Retainer
Pre-negotiate with a healthcare IR firm (CrowdStrike, Mandiant, or similar) before an incident — hourly rates double during active incidents. Retainer should include: 4-hour deployment SLA, OCR notification support, BAA review, legal coordination. Run annual tabletop exercise specifically for ransomware + ePHI exfiltration.
▶ CoreRecon recommended: Healthcare IR retainer with OCR notification package
ACTION 05
Third-Party / BAA Audit Program
Annual security questionnaire + right-to-audit clause enforcement for all BAs (especially MSPs, EHR vendors, transcription services). Concentra/PJ&A lesson: the breach at your vendor becomes your breach. BA register with annual review, updated BAA language (2025 OCR template).
▶ CoreRecon recommended: BA register with annual review, updated BAA language (2025 OCR template)
ACTION 06
Backup + Restoration Verification
Test backup restoration quarterly — not just backup completion verification. Air-gapped backup copies stored off-network (ransomware targeting backup infrastructure is standard TTPs). Target: critical system restoration within 72 hours per proposed HIPAA NPRM.
▶ CoreRecon recommended: Immutable air-gapped backup, quarterly restore testing
ACTION 07
405(d) HICP Compliance as Defensible Standard
Implement HICP Voluntary Framework (CISA/HHS) as your security baseline. Document compliance decisions — HHS uses HICP as benchmark in enforcement. Annual gap assessment against HICP Volume 1 (Small Health Care Organizations) or Volume 2 (Medium/Large).
▶ CoreRecon recommended: HICP gap assessment as OCR defense documentation
Section 7  •  Next Steps

Where do you go from here?

Option 1 — Self-Assessment
Take the HIPAA Security Rule Self-Assessment
Free 10-minute quiz covering the five core HIPAA safeguard areas. Get your score + recommended remediation roadmap. No login required.
Start the HIPAA Assessment → Try the HIPAA Readiness Quiz first
Option 2 — Breach Exposure Calculator
Calculate Your Breach Exposure
Industry-prefilled for healthcare. Input your bed count, EHR vendor, and staff count. Get your estimated breach cost and penalty exposure under HIPAA + TX HB 300.
Calculate My Breach Risk →
Option 3 — Talk to a Specialist
30-Minute Threat Briefing
Book John's calendar for a no-cost 30-minute briefing specific to your facility type and TX regulatory exposure. Covers your EHR environment, current compliance posture, and a prioritized next-steps roadmap.
Book a 30-Minute Briefing → See all CoreRecon tools for healthcare
Related Resources
Healthcare Vertical
Healthcare Security Page
HIPAA Security Rule + TX HB 300. Sentinel/Fortress/Command tiers. $89–$129/endpoint.
Compliance Guide
HIPAA Security Rule Guide
18 safeguards across Administrative, Physical, and Technical categories. Audit-ready from day one.
Interactive Tool
HIPAA Readiness Quiz
18 questions. All 18 HIPAA standards. Instant scored results. Email your report.
Deadlines
Compliance Deadline Tracker
HIPAA enforcement, TX HB 300 deadlines, and penalty exposure for TX healthcare.
About This Report
CoreRecon is a cybersecurity intelligence firm specializing in healthcare sector threat analysis and regulatory compliance. CoreRecon produces actionable threat briefs for healthcare operators, legal counsel, and compliance teams.
Sources: HHS OCR Breach Tracker; HIPAA Journal; BakerHostetler 2026 Data Security Incident Report; IBM X-Force 2025 Threat Intelligence Index; CISA/HC3 advisories; THA cybersecurity surveys; Texas Health & Safety Code Chapter 181; 45 CFR Part 164.
Report Date: June 2026 | Classification: Public | Version: 1.0 | This report does not constitute legal advice. Consult qualified healthcare legal counsel for compliance determinations.