Chase Affiliated Companies Data Breach Exposes 2,165 Individuals' PHI

Chase Affiliated Companies, a health plan operating in New Mexico, has reported a significant data breach to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, affecting 2,165 individuals. The incident, classified as a hacking/IT incident, compromised sensitive protected health information (PHI) stored on the organization's network servers.

What Happened

On November 6, 2025, Chase Affiliated Companies reported a cybersecurity incident to federal regulators. The breach originated from a hacking or IT incident that targeted the company's network server infrastructure. This attack successfully compromised systems containing protected health information belonging to over 2,000 individuals.

According to breach notifications filed with state authorities, the incident was also disclosed to the Texas Attorney General's office on November 7, 2025. The Texas filing revealed that 979 Texas residents were impacted by this breach, indicating the incident had a multi-state impact.

The exposed information included highly sensitive data such as names and Social Security numbers, both classified as personally identifiable information (PII) under federal privacy regulations. This type of information exposure creates significant risks for identity theft and financial fraud.

Who Is Affected

The breach impacts 2,165 individuals who had their protected health information stored on Chase Affiliated Companies' compromised network servers. These affected individuals include:

• Health plan members and beneficiaries
• Former participants in Chase health plans
• Dependents covered under family plans
• 979 confirmed Texas residents
• Additional individuals across multiple states

Chase Affiliated Companies operates as Chase Energy Services and functions as a health plan entity, meaning the affected individuals likely include employees and their families who receive healthcare benefits through the organization.

Breach Details

The incident represents a serious violation of HIPAA Security Rule requirements under 45 CFR §164.306, which mandates covered entities implement appropriate administrative, physical, and technical safeguards to protect electronic PHI (ePHI).

Key breach specifications:

• Entity Type: Health Plan
• Location: Network Server
• Method: Hacking/IT Incident
• Individuals Affected: 2,165 (nationally), 979 (Texas)
• Data Exposed: Names, Social Security numbers, and additional PHI
• Business Associate Involvement: None reported
• Discovery Timeline: Reported November 6-7, 2025

The fact that no business associate was involved suggests this was a direct attack on Chase's internal systems, making the organization fully responsible for the security failures that enabled this breach.

According to legal sources, Strauss Borrelli PLLC, a prominent data breach law firm, has announced they are investigating Chase Affiliated Companies regarding this incident, suggesting potential legal action may follow.

What This Means for Patients

This breach carries significant implications for affected individuals, particularly given the exposure of Social Security numbers combined with names. This combination of data creates substantial risks:

Immediate Concerns:

• Identity theft risk from Social Security number exposure
• Potential financial fraud using stolen personal information
• Medical identity theft where criminals use PHI to obtain healthcare services
• Insurance fraud possibilities given the health plan context

Long-term Impact:

• Credit report monitoring requirements
• Ongoing vigilance for suspicious account activity
• Potential need for identity protection services
• Possible impacts on healthcare service delivery

Under HIPAA Breach Notification Rule (45 CFR §164.404), Chase Affiliated Companies is required to notify all affected individuals within 60 days of breach discovery, providing detailed information about the incident and recommended protective actions.

How to Protect Yourself

If you believe you may be affected by this breach, take these immediate protective steps:

Immediate Actions:

1. Monitor credit reports from all three major bureaus (Experian, Equifax, TransUnion)
2. Place fraud alerts on your credit files
3. Review bank and credit card statements for unauthorized transactions
4. Check healthcare benefits statements for services you didn't receive

Ongoing Protection:

1. Consider credit freezes to prevent new account openings
2. Monitor medical benefits explanations for fraudulent claims
3. Review annual Social Security statements for earnings discrepancies
4. Use identity monitoring services if available through the breach response

Documentation:

1. Keep records of all breach-related communications
2. Document any suspicious activity you discover
3. Report identity theft to the FTC at IdentityTheft.gov
4. File police reports if you discover actual fraud

Prevention Lessons for Healthcare Providers

This incident highlights critical cybersecurity vulnerabilities that healthcare organizations must address to comply with HIPAA requirements:

Technical Safeguards (45 CFR §164.312):

• Multi-factor authentication for all network access
• Encryption of data at rest and in transit
• Network segmentation to limit breach impact
• Regular security assessments and penetration testing

Administrative Safeguards (45 CFR §164.308):

• Comprehensive risk assessments identifying network vulnerabilities
• Employee training programs on cybersecurity best practices
• Incident response procedures for rapid breach containment
• Business associate agreements covering all third-party access

Physical Safeguards (45 CFR §164.310):

• Server room security with restricted physical access
• Workstation controls preventing unauthorized system access
• Media disposal procedures ensuring complete data destruction

The HIPAA Security Rule requires covered entities to conduct regular risk assessments and implement security measures appropriate to their size, complexity, and the sensitivity of the PHI they handle. This breach suggests potential failures in these fundamental requirements.

Healthcare organizations must also maintain detailed audit logs and monitoring systems to detect unauthorized access attempts before they result in successful data exfiltration.

Legal Compliance Requirements: Under HIPAA regulations, Chase Affiliated Companies faces potential penalties ranging from $137 to $2,067,813 per violation, depending on the level of negligence and whether they demonstrate willful neglect of HIPAA requirements.

This incident serves as a stark reminder that cybersecurity is not optional for healthcare entities—it's a legal requirement under federal law that carries significant financial and reputational consequences when failures occur.

Learn how HIPAA Agent can help protect your practice.