In 2017, Dameron Hospital in Texas reported a breach to the California Attorney General’s Office. No copy of its breach notification was uploaded to California’s breach site, and Dameron did not respond to this site’s email asking for details of the breach. The incident never appeared on HHS’s public breach tool, so we never found out what happened or how many people were affected.
On or about November 4, 2023, Dameron experienced another breach. This one was a ransomware incident that we learned about when RansomHouse listed it on its leak site in December 2023. RansomHouse claimed to have encrypted Dameron’s files and to have exfiltrated 480 GB of files. RansomHouse subsequently leaked the data.
Dameron recently settled a potential class action lawsuit for $650k. Those who are eligible class members have until April 22, 2025 to file a claim, as explained on the official settlement website. According to the complaint and court records, the settlement class was estimated to contain 262,475 people. As of publication today, this 2023 incident is still not on HHS’s public breach tool even though Dameron has recently sent out notification letters and notified the Texas Attorney General’s Office and the California Attorney General’s Office of the breach.
Dameron’s letter to those affected, which appears in redacted form online, states, in part:
Upon learning of this issue, we immediately commenced a prompt and thorough investigation. As part of our investigation, we have been working very closely with external cybersecurity professionals experienced in handling these types of incidents. After an extensive forensic investigation and comprehensive document review, on March 21, 2025, we determined your personal data may have been subject to unauthorized access or acquisition, which occurred between November 4, 2023, and November 5, 2023.
Their notification does not explain why it took them 16 months to notify those affected. Equally important, their notification says that personal data “may have been subject to unauthorized access or acquisition.” But given that the data was leaked in 2023, didn’t the hospital have every reason to know that data was acquired, and not only acquired, but leaked? Why weren’t patients told when their data had been leaked online?
As noted above, a lawsuit over the 2023 breach has already resulted in settlement. But will HHS investigate whether the hospital had been compliant with the HIPAA Security Rule and the notification rule, or will Dameron’s incident become just another breach with no regulators taking enforcement action?
DataBreaches did not find any provision in the settlement document that committed Dameron to investing more in infosecurity or cybersecurity. DataBreaches emailed the plaintiff’s attorney yesterday to ask if there was any such provision, but no reply has been received. Perhaps if a federal or state regulator does investigate Dameron’s security and incident response, a corrective action plan may result, but given how few security rule enforcement actions HHS has pursued and given recent staffing cuts to HHS, DataBreaches isn’t holding its breath.