It is not the kind of mail anyone wants. Nearly 20,000 patients of Barrio Comprehensive Family Health Care Center, which operates as CommuniCare, were alerted this week that a cybersecurity incident may have exposed private medical and insurance information. The San Antonio clinic says an unauthorized party accessed a limited number of employee email accounts, triggering a months-long review to determine whose data was compromised. That review wrapped on Feb. 19, and notices started going out in early March.
According to CommuniCare, staff first spotted suspicious activity tied to one employee's email account on Sept. 16, 2025. The clinic says it quickly secured its systems and brought in third-party forensic specialists to investigate. Those investigators concluded that a limited number of emails had been accessed without authorization, and the provider then conducted a detailed review of those messages to see what information they contained. CommuniCare says it is notifying potentially affected patients out of what it calls an abundance of caution.
What kinds of data may have been exposed
Postings from data-breach law firms and trackers point to a mix of personal and medical details that may have been involved. That includes names paired with dates of birth, health insurance account or member numbers, patient account numbers, provider location information, clinical notes, treatment details, and prescription records. Strauss Borrelli lays out those same categories after reviewing the clinic's official notice.
How many people were affected, and who was notified
Local reporting and breach trackers indicate that as many as 19,885 people may be caught up in the incident. KENS5 reports that CommuniCare filed a notice with the Texas Attorney General's office on March 9, and online aggregators that monitor those filings list the 19,885 total. The data-breach tracker Claim Depot includes that same figure in its summary of the state's records.
What CommuniCare is offering patients
CommuniCare says it has not seen evidence that any of the exposed information has been misused, but it is giving patients instructions and resources in case that changes. The written notice walks through steps people can take to protect their information and explains how to spot red flags. The health center has set up a toll-free helpline at 1-833-289-5065 and provided a mailing address for questions or written correspondence. For the clinic's full instructions and contact information, patients can refer to CommuniCare.
What patients should do next
Security experts recommend treating this kind of notice as a prompt to double-check your financial and health records, not as something to toss in a drawer. That means reviewing explanation-of-benefits statements from insurers, as well as bank, credit card and insurance records, for charges or activity you do not recognize. It also means looking over your credit reports and considering a fraud alert or credit freeze if anything looks off.
The Federal Trade Commission offers step-by-step identity theft guidance at IdentityTheft.gov, and the Texas Attorney General's website outlines state data-breach rules along with consumer options if your information is compromised. Experts say it is a good idea to keep copies of the clinic's notice and any follow-up letters or emails in case you later need to file complaints, dispute bills or document what happened.
Why this matters here
San Antonio has already had a crash course in how disruptive health care cyberattacks can be. In 2024, a breach at CentroMed affected hundreds of thousands of patients and temporarily scrambled appointments, prescription access and medical records. KSAT documented how that incident rippled through day-to-day operations.
CommuniCare runs multiple clinics around Bexar County and neighboring areas and says it takes patient privacy seriously, a familiar refrain in the wake of any breach. For now, affected patients are being told to watch their mail for official letters or call the helpline to confirm whether their own records are involved. Law firms that focus on data breaches have already posted explainers and resources aimed at people weighing legal or financial next steps, and Strauss Borrelli has highlighted the CommuniCare notice along with its recommendations for how patients can respond.
