What happened in the McEwen & Associates HIPAA breach?

McEwen & Associates, a Texas business associate, reported a data breach affecting 500 patients through a network server hacking incident on August 21, 2025

How many patients were affected by the McEwen & Associates data breach?

The McEwen & Associates HIPAA breach affected approximately 500 individuals whose protected health information (PHI) may have been compromised.

What type of breach did McEwen & Associates report?

McEwen & Associates reported a Hacking/IT Incident incident in TX, involving Network Server. This was reported to the HHS Breach Portal on August 21, 2025.

Is my practice at risk for a similar HIPAA breach?

Healthcare practices face increasing cybersecurity threats. The most common breach types include hacking/IT incidents, unauthorized access, and theft. Get a free HIPAA Agent Compliance Score at hipaaagent.ai to assess your practice's security posture and identify vulnerabilities before they lead to a breach.

Medium Severity (Score: 5/10)

McEwen & Associates Data Breach: 500 Patients' Health Records Exposed

Share:𝕏 f in

Breach Details

Entity

McEwen & Associates

Individuals Affected

500

State

Breach Type

Hacking/IT Incident

Location

Network Server

Date Reported

August 21, 2025

Entity Type

Business Associate

Yes

Could this happen to your practice?

Find out where you stand with a free 83-tool vulnerability scan.

Free HIPAA Agent Compliance Score™Try Free for 7 Days

What Happened

McEwen & Associates, a Texas-based business associate serving healthcare providers, reported a significant data breach to the Department of Health and Human Services on August 21, 2025. The breach affected 500 individuals and involved unauthorized access to the company's network servers through a hacking/IT incident.

As a HIPAA business associate, McEwen & Associates handles protected health information (PHI) on behalf of covered entities, making this breach particularly concerning for both the affected patients and the healthcare providers who trusted the company with sensitive data.

Who Is Affected

The breach impacts 500 individuals whose protected health information was stored on McEwen & Associates' network servers. While specific details about the types of healthcare providers served by McEwen & Associates have not been disclosed, business associates typically work with:

Medical practices and clinics
Hospitals and health systems
Mental health providers
Specialty healthcare services
Healthcare billing companies

Patients who received services from healthcare providers that contract with McEwen & Associates for services such as billing, IT support, or administrative functions may be among those affected.

Breach Details

Entity Type: Business Associate Location: Texas Breach Method: Hacking/IT Incident Compromised Systems: Network Server Individuals Affected: 500 Date Reported: August 21, 2025

The breach occurred when cybercriminals gained unauthorized access to McEwen & Associates' network servers. As a business associate breach, this incident falls under HIPAA's Breach Notification Rule (45 CFR §§ 164.400-414), which requires both the business associate and the covered entities they serve to take specific notification and remediation actions.

Under 45 CFR § 164.410, business associates must notify covered entities of breaches affecting PHI within 60 days of discovery. The covered entities, in turn, must notify affected patients within 60 days of learning about the breach.

What This Means for Patients

When a business associate experiences a data breach, it creates a cascading effect throughout the healthcare ecosystem. Here's what patients should understand:

Immediate Risks

Identity theft from exposed personal information
Medical identity theft if health records were compromised
Financial fraud if payment information was accessed
Privacy violations from unauthorized disclosure of sensitive health conditions

Long-term Concerns

Compromised health information can be used for insurance fraud
Medical records may be altered or falsified in criminal schemes
Sensitive health conditions could be exposed publicly
Credit monitoring may be necessary to detect fraudulent activity

HIPAA Rights

Under 45 CFR § 164.524, patients have the right to:

Request an accounting of disclosures of their PHI
Obtain copies of their medical records
Request amendments to incorrect information
File complaints with the Office for Civil Rights (OCR)

How to Protect Yourself

If you believe you may be affected by this breach, take these immediate steps:

Monitor Your Accounts

Review credit reports from all three bureaus (Experian, Equifax, TransUnion)
Check bank and credit card statements for unauthorized transactions
Monitor Explanation of Benefits (EOB) statements from insurance providers
Watch for unexpected medical bills or insurance claims

Secure Your Information

Freeze your credit with all three credit bureaus
Set up fraud alerts on financial accounts
Use strong, unique passwords for all healthcare portals and accounts
Enable two-factor authentication where available

Document Everything

Keep records of all breach notifications received
Document any suspicious activity on accounts
Save correspondence with healthcare providers and credit monitoring services
File complaints with OCR if you believe your rights were violated

Healthcare-Specific Actions

Contact your healthcare providers to verify which business associates they use
Request notification if your information was involved in the McEwen & Associates breach
Ask about alternative communication methods if you're concerned about data security
Consider requesting paper statements instead of electronic communications temporarily

Prevention Lessons for Healthcare Providers

This breach highlights critical HIPAA compliance obligations for healthcare providers when working with business associates:

Business Associate Agreements (BAAs)

Under 45 CFR § 164.502(e), covered entities must have written business associate agreements that include:

Specific permitted uses and disclosures of PHI
Requirements for safeguarding electronic PHI
Incident response and breach notification procedures
Termination clauses for contract violations

Due Diligence Requirements

Healthcare providers should:

Vet business associates thoroughly before contracting
Require evidence of cybersecurity programs and HIPAA training
Conduct regular security assessments of business associate practices
Monitor breach reports and industry security alerts

Technical Safeguards

Implement robust HIPAA Security Rule (45 CFR Part 164, Subpart C) protections:

Encryption of PHI in transit and at rest
Access controls and user authentication
Audit logs and monitoring systems
Regular security updates and vulnerability assessments

Administrative Safeguards

Designate a HIPAA Security Officer
Provide comprehensive staff training on data security
Develop incident response plans for breaches
Conduct regular risk assessments of all systems handling PHI

The McEwen & Associates breach serves as a reminder that healthcare data security extends beyond individual practices to encompass the entire network of business associates and third-party vendors that handle protected health information. Both providers and patients must remain vigilant in protecting sensitive healthcare data.

For healthcare providers seeking to strengthen their HIPAA compliance and protect against similar breaches, comprehensive security solutions and ongoing monitoring are essential.

Learn how HIPAA Agent can help protect your practice.

Share:𝕏 f in

Source: This breach was reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Breach Portal. Data sourced from ocrportal.hhs.gov. Analysis and article generated by HIPAA Agent.