Cybercrime,
Data Breach Notification,
Data Security
Texas Health Plan Reports Largest Data Breach of 2025

A Texas insurance provider has initiated notifications for over 335,500 individuals regarding a breach that occurred in December, during which unauthorized access and copying of sensitive personal and health data took place. This incident has had wide-reaching implications, impacting multiple policyholders, agents, and carrier partners across several states.
New Era Life Insurance Companies, which operates in Texas along with regions in the Midwest and Pennsylvania, categorized itself as a health plan in a breach report submitted to federal authorities on February 11. The breach was also communicated to Maine’s Attorney General, citing that 16 state residents were affected, including employees and beneficiaries of policyholders, as well as independent agents. Additional breach notifications have been extended to several states, including South Carolina.
According to the breach notice, suspicious activity was detected within New Era’s network on December 18, prompting an immediate response that included isolating certain systems and launching an investigation in collaboration with a third-party cybersecurity firm. Law enforcement was also informed of the incident.
The subsequent investigation revealed that unauthorized access had occurred over a span of more than a week, from December 9 to December 18. During this timeframe, the intruder was able to access and copy files from the company’s systems. The compromised data varied by individual but included names, birth dates, insurance identification numbers, and health-related information. Some files contained Social Security numbers of affected individuals.
While this breach did not encompass data from all New Era policyholders, agents, and partners, it specifically affected those identified within the compromised files. Recently, several law firms have expressed interest in investigating the incident for potential class actions.
In response to the breach, New Era is providing 12 months of free identity and credit monitoring to those impacted and has indicated a commitment to implementing additional security measures to prevent future incidents.
As of mid-March, this breach stands as the largest health data incident among 10 breaches reported by health plans to the U.S. Department of Health and Human Services in 2025. Out of a total of 122 major breaches reported this year across various HIPAA-regulated entities, New Era’s incident ranks as the fourth largest. Experts note that health plans are prime targets for cyberattacks, given the vast volume of sensitive health and personal data they manage.
Historically, health plans reported 78 significant breaches in 2024, impacting nearly 17.7 million individuals. These figures do not account for breaches involving business associates serving the health insurance sector, which included notorious cases like the Change Healthcare breach that impacted 190 million people due to a ransomware attack.
Health plans vary widely in their cybersecurity measures, with larger insurers often having robust defenses, though they remain vulnerable due to the sheer scale of operations. Common attack vectors include phishing schemes that exploit these vulnerabilities, as highlighted by the massive 2016 breach of Anthem Inc., previously the largest health data breach before being surpassed by recent incidents.
Given the sensitive nature of the data they hold, health plans face significant cybersecurity risks. Cybercriminals typically target these organizations for financial gain or, in some cases, to disrupt operations in politically motivated attacks. Many healthcare providers and health plans still operate on outdated infrastructure, exacerbating their vulnerability to cyber threats. As this landscape evolves, organizations must prioritize cybersecurity better to protect their valuable data and ensure integrity in their operations.