Data Breach
Interlock Ransomware Group Claims 540 GB from Texas Hearing Institute, Nearly 30,000 Pediatric Patients Notified
TL;DR
A ransomware group called Interlock claims to have stolen 540 GB of data from a Houston pediatric hearing center. Nearly 30,000 patients were notified in late June 2026, roughly three months after the breach was first identified. No regulatory fine has been announced.
The Texas Hearing Institute in Houston notified at least 29,498 individuals after the Interlock ransomware group claimed a March 2026 attack exfiltrated 540 GB of data including Social Security numbers, financial records, and medical information.
A ransomware group called Interlock claims to have exfiltrated roughly 540 GB of data from the Texas Hearing Institute, a pediatric hearing center based in Houston, putting the sensitive records of at least 29,498 individuals at risk. This is a breach notification event, not an OCR enforcement action, and no regulatory fine has been announced.
What Happened
The Texas Hearing Institute identified the cyberattack on March 20, 2026. The organization confirmed the breach on April 22, 2026, and mailed patient notification letters on June 26, 2026. The Interlock ransomware group has publicly claimed responsibility and states it obtained approximately 540 GB of data from the organization's systems.
The types of information reportedly exposed include:
- Full names
- Social Security numbers
- Financial information
- Medical records
The combination of Social Security numbers and medical records in a pediatric population is particularly serious. Children's identities are attractive targets for fraud precisely because the theft often goes undetected for years, until the child is old enough to apply for credit or government benefits.
The Notification Timeline
The gap between discovery and patient notification deserves close attention. HIPAA's Breach Notification Rule requires covered entities to notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach.
45 CFR §164.404Here is how the timeline breaks down:
- March 20, 2026: Breach identified
- April 22, 2026: Breach confirmed
- June 26, 2026: Patient notification letters mailed
From the date the breach was identified to the date letters were mailed is approximately 98 days. From the confirmed date to mailing is approximately 65 days. Either way, the timeline runs close to or past the 60-day outer boundary set by the rule.
It is worth noting that HIPAA allows covered entities to delay notification if a law enforcement agency determines that notification would impede a criminal investigation. Whether any such delay was authorized here has not been reported. Absent that exception, regulators and affected individuals are likely to scrutinize the roughly three-month gap between identification and notification.
Warning
A breach involving Social Security numbers and medical records for a pediatric population carries compounded long-term risk. Children cannot monitor their own credit, and identity theft in this cohort frequently surfaces years after the initial compromise. Organizations holding pediatric data should treat it as among their highest-sensitivity data categories.
Why Specialty Pediatric Providers Are Targets
Interlock is a ransomware group that has been observed targeting healthcare organizations. Specialty providers like pediatric hearing centers often operate with leaner IT and security budgets than large hospital systems, yet they hold the same categories of highly sensitive protected health information that large systems do. That asymmetry makes them attractive targets.
Under HIPAA's Security Rule, covered entities of all sizes must implement administrative, physical, and technical safeguards appropriate to the size, complexity, and capabilities of the organization.
45 CFR §164.306This includes a required risk analysis and risk management process.
45 CFR §164.308Ransomware attacks that result in data exfiltration are presumed to be reportable breaches under HHS guidance unless the covered entity can demonstrate a low probability that protected health information was compromised, applying a four-factor risk assessment.
45 CFR §164.402What Compliance Officers and Practice Managers Should Do Now
If your organization is a specialty provider or operates in a similar footprint to the Texas Hearing Institute, this breach is a prompt to act on several fronts.
Review your incident response plan. The timeline here suggests the gap between identification and confirmed breach was over a month. Forensic investigation takes time, but your plan should set internal milestones that keep you on track to meet the 60-day notification deadline.
Audit your data inventory. Do you know exactly where Social Security numbers and financial information are stored, who can access them, and whether that access is necessary? If not, that is the first gap to close.
Evaluate ransomware-specific controls. This includes offline or immutable backups, network segmentation to limit lateral movement, and endpoint detection and response tools. These are not optional extras for small providers. They are the practical expression of your Security Rule obligations.
Prepare your notification infrastructure. If a breach occurs, you need to be able to mail individual notices, post a website notice, and notify HHS within defined windows. Many smaller organizations discover in the middle of a crisis that they have no template, no vendor relationship for printing and mailing, and no clear owner for the process.
45 CFR §164.412A Note on the Data Volume Claimed
The reported figure of 540 GB is the Interlock group's own claim. Independent verification of that figure has not been reported. Threat actors sometimes overstate exfiltration volumes to increase pressure on victims. However, even if the actual volume is smaller, the reported scope of data categories, including Social Security numbers and medical records for children, is the operationally important fact for affected individuals and for compliance teams assessing their own exposure to similar attacks.
The Texas Hearing Institute breach is a reminder that pediatric specialty providers hold some of the most sensitive data in healthcare and are frequent ransomware targets. The roughly three-month gap between breach identification and patient notification will draw scrutiny against HIPAA's 60-day notification rule. Compliance officers at small and mid-size specialty practices should treat this as a trigger to pressure-test their incident response timelines, data inventories, and ransomware defenses now, before an attack forces the issue.
Sources & citations
- HIPAA Journal: Data Breach Round-Up July 6, 2026Open
All content verified against official HHS guidance and the Code of Federal Regulations.
Frequently asked questions
Who is affected by the Texas Hearing Institute breach?▾
What data was exposed in the Texas Hearing Institute breach?▾
Who is the Interlock ransomware group?▾
Is the Texas Hearing Institute facing an OCR fine or enforcement action?▾
What are the HIPAA breach notification deadlines that apply here?▾
Related intelligence
Data Breach
Family Health Centers of Southern Indiana Discloses January 2026 Network Intrusion Exposing Patient PHI Including Social Security Numbers
5 min read
Data Breach
Wisconsin Department of Health Services Reports HIPAA Breach Affecting 8,157 Medicaid Recipients After Benefits Letters Mailed to Wrong Addresses
5 min read
Data Breach
Amazon's One Medical Seniors Hit by ShinyHunters Extortion Group: 8.8TB of Legacy Patient Data at Risk
7 min read
Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.