On or about October 24, 2025 Legacy Health reported a cybersecurity incident (the “Data Breach”) to the Texas Attorney General’s Office. The breach affected at least 4,031 individuals in Texas and involved unauthorized access to sensitive personal and medical information. Legacy Health notified impacted individuals by U.S. Mail.
Legacy Health is a privately held healthcare revenue cycle management company based in Dallas, Texas. Founded in 2008, the company supports over 12,000 healthcare providers and processes more than $15 billion in annual accounts receivable with a team of 3,200 employees across multiple locations.
Legacy Health has notified impacted individuals and may be offering identity protection services. If you received a Data Breach notification letter from Legacy Health, it confirms that your information was potentially compromised.
What information is involved in the Legacy Health Data Breach?
Compromised information may include:
Name
Medical Information
Health Insurance Information
Your Personally Identifiable Information (PII) includes details that can be used to identify you. It plays a key role in defining your identity. Organizations are legally obligated to safeguard this data, and failure to do so can result in statutory fines and other legal consequences. If PII is stolen, it may be exploited by criminals to commit identity fraud.
A specific category of PII is Protected Health Information (PHI), which pertains to personal medical data. PHI is safeguarded under both federal and state regulations. Entities such as healthcare providers and businesses that manage PHI must ensure its security. Just like PII, compromised PHI can be misused by identity thieves, and it’s common for cybercriminals to use both types of information together.
If your data has been exposed in a breach, one of the most effective steps you can take is to enroll in credit and identity monitoring services promptly.
If you received a NOTICE OF DATA BREACH letter from Legacy Health, your personal, financial, and/or medical information may be at risk. This type of data can be exploited by identity thieves to commit fraud and other crimes.