VITAS Hospice Services Discovers Month-Long Network Intrusion Affecting 319K Patients
VITAS Hospice Services, LLC, the largest for-profit hospice chain in the United States, has notified the California and Texas attorneys general about a data security incident that exposed sensitive patient data. An unauthorized individual compromised an account used by one of its vendors, and through that account was able to access certain Vitas systems.
The security breach was identified on October 24, 2025, and the forensic investigation determined that there was unauthorized access to its systems for more than a month between September 21, 2025, and October 27, 2025. During that time, the unauthorized third party was able to view and download the personal information of current and former Vitas patients.
Vitas has been working with a third-party cybersecurity firm to investigate the cause of the breach and has taken steps to strengthen vendor oversight and improve its data protection protocols. At the time of issuing notifications to the affected individuals, Vitas was unaware of any misuse of the exposed data; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months.
Data compromised in the incident varies from individual to individual and may include names in combination with some or all of the following: address, phone number, date of birth, Social Security number, driver’s license number, next of kin contact information including name, phone number and email address, diagnosis, medications, lab results, conditions, treatment information, health insurance information, and other personal information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
It is currently unclear exactly how many individuals have been affected, as neither the California nor Texas Attorneys General publishes figures for the total size of the data breach. The Texas Attorney General was told that 5,633 individuals in the state were affected by the breach. The HIPAA Journal has not found any further attorney general notifications at the time of writing, but the breach could be more expansive, as the company has locations in 15 U.S. states.
Update: December 9, 2025: The HHS Office for Civil Rights data breach portal has been updated and shows that the protected health information of 319,177 individuals was potentially compromised in the incident.
