Arrow Cyber Advisors

What We Know About the Recent Heart of Texas Behavioral Health Network Data Security Incident and Why Physical Breaches Still Matter

KD

Dec 22, 2025By Kristy Dark

Data breaches are, unfortunately, a fact of life in today’s digital economy. Whether they involve network hacks, credential theft, or loss of physical records, the result is the same: sensitive personal information gets exposed, and individuals and organizations must respond quickly to mitigate harm.

Recently, the Heart of Texas Behavioral Health Network (HOTBHN) published a privacy and data security notice detailing a breach that occurred at one of its facilities. This incident highlights not only the challenges of protecting digital systems, but also the very real risks associated with physical, on-site breaches of paper records something that many organizations still struggle to defend against. 

What Happened at HOTBHN?
According to the notice on the HOTBHN site, an unauthorized individual unlawfully entered a facility on or about November 20, 2025, gaining access to unsecured paper records stored inside. These records potentially included:

  • Patient names and addresses
  • Social Security numbers
  • Medical record numbers
  • Diagnosis and treatment information
  • Health insurance or billing details (including Medicaid data)

HOTBHN states that it is not aware of any misuse of the information at this time, but because the records were accessed without authorization, it issued the notice to affected individuals and authorities in compliance with federal and state laws including HIPAA and the Texas Identity Theft Enforcement and Protection Act. The organization also detailed steps taken to secure the premises and improve physical security safeguards and training. 

The Rising (Yet Often Overlooked) Risk of Physical Data Breaches
When we talk about data breaches, most people immediately think of malicious hackers, phishing scams, or ransomware. And while those digital threats are indeed more common, physical breaches like stolen documents or unauthorized access to facilities are still a significant concern.

Many recent reports show that a notable portion of security incidents involves some physical element:

  • In some industry data, physical actions are responsible for a meaningful share of breaches, even if they represent a smaller percentage compared with cyber threats overall. For example, an analysis of breach data shows that fewer than 5% of reported incidents involve direct physical actions, but these events can still lead to serious exposure of personal information.
  • Other statistics on physical security indicate that over half of organizations report experiencing a security incident involving unauthorized physical access in the past year, and more than 60% of data breaches originate from theft or loss of physical devices or records in some surveys. 

Physical breaches often stem from break-ins, lost or stolen devices, misplaced paperwork, or insider access, and they can be surprisingly frequent in organizations that rely on paper records or do not have robust physical access controls in place.

Why All This Matters
The HOTBHN breach is a reminder that data security isn’t just an online problem. For healthcare providers, nonprofit organizations, and any entity handling sensitive personal data, risks come from both cyber networks and physical environments. Protecting data means:

  • Securing servers and storage rooms
  • Training staff to handle paper and digital records safely
  • Ensuring physical access controls (locks, cameras, alarms) are up to date
  • Responding quickly and transparently when incidents occur

The fallout from a breach whether digital or physical can include identity theft, loss of trust, and costly remedial actions. By understanding the full landscape of breach risks, organizations can take a more comprehensive approach to protecting the people they serve.