TCIDA Breach Bombshell: Law Firms Jump On Massive Texas Health Data Hack

A growing number of law firms are launching investigations after a Fort Worth-based health care group disclosed a year-old data breach that exposed sensitive information on nearly 20,000 patients.

The Texas Centers for Infectious Disease Associates (TCIDA), which operates clinics in Fort Worth and Dallas, announced in late June that hackers may have accessed names, Social Security numbers, medical record details, and other highly sensitive information, according to a press release from the organization on PR Newswire. Now, law firms including Federman & Sherwood, Strauss Borrelli PLLC, and Almeida Law Group say they are probing the breach and considering potential legal claims on behalf of affected individuals.

Federman & Sherwood, which maintains an office in the Dallas-Fort Worth metroplex, has updated its website to indicate that the firm is investigating whether TCIDA had “adequate safeguards in place” and if victims may be eligible for relief. In a July 3 update, the firm stated, “The incident was recently disclosed in a notice filed with the Office of the Attorney General of Maine, and it involved unauthorized access and potential theft of sensitive personal and health information.”

The Breakdown:

• Scope of the breach: Nearly 20,000 patients may have had personal and medical data stolen.

• Discovery delay: The breach occurred in July 2024 but was not discovered until June 2025.

• CLICK HERE TO GET THE DALLAS EXPRESS APP

  Root cause: The incident reportedly stemmed from a third-party billing vendor previously used by TCIDA.

• Legal scrutiny: At least three law firms have opened investigations or are soliciting affected clients.

• Free services offered: TCIDA is providing credit monitoring, identity theft insurance, and recovery assistance.

The Almeida Law Group, in a separate post, criticized the delay between the July 2024 breach and its discovery on June 17, 2025. The firm noted the lag “raises concerns over delayed detection” and stated that victims “may be eligible for compensation or other legal remedies.”

Strauss Borrelli PLLC’s website features a similar entry, highlighting the firm’s supposed prowess as a “leading data breach law firm” in investigating the matter.

TCIDA, which changed its name from Tarrant County Infectious Disease Associates in 1997, offers infectious disease treatment and infusion services across the Dallas–Fort Worth area. Following the breach, the group claims to have hired cybersecurity consultants, conducted a forensic investigation, and notified affected patients on June 26, 2025.

TCIDA believes the intrusion began after an incident involving its former third-party billing provider, according to the press release. The TCDIA statement did not identify the billing provider.

A breach notice shared with the Maine Attorney General’s office states that information potentially exposed includes names, birth dates, Social Security numbers, driver’s license numbers, health insurance IDs, and detailed treatment data.

In addition to mailing notices, TCIDA claims to have established a toll-free line for questions. Although it is not mentioned in TCIDA’s initial press release, the Almeida website says TCIDA is offering up to 24 months of credit monitoring and a $1 million insurance policy for identity theft.

TCIDA’s presser stated, “The privacy and protection of personal and protected health information is a top priority… [we] deeply regret any inconvenience or concern this incident may cause.”

Attorneys involved say further legal action could follow depending on what their reviews uncover about TCIDA’s cybersecurity practices.

The Dallas Express contacted TCIDA for comment on the potential litigation, but a spokesman did not return comment by the time of publication.