Yes — Texas Tech University Health Sciences Center (TTUHSC) disclosed a major data security incident reported on the Texas Attorney General portal on April 27, 2026, listing 738,506 Texans affected. Combined HSC / El Paso filings to HHS OCR have put nationwide exposure near 1.4 million individuals.
The investigation traces unauthorized access and file removal to roughly September 17–29, 2024. The Interlock ransomware group publicly claimed responsibility and advertised multi-terabyte exfiltration. Consumer notices circulated around April 9, 2026, with IDX monitoring offered in many letters.
We scanned ttuhsc.edu and parent academic domain ttu.edu on July 13, 2026 against the 100% ideal domain security score.
What Happened
| Field | Detail |
|---|---|
| Entity | Texas Tech University Health Sciences Center |
| Sector | Academic medical center / higher education |
| Intrusion window | Sep 17 – Sep 29, 2024 |
| Texans (OAG) | 738,506 |
| Data types (OAG) | Names; address; SSN; DL/gov ID; financial; medical; health insurance; DOB |
| Notice | Website, U.S. Mail, Texas-wide media |
| Claimed actor | Interlock ransomware (public reporting) |
Timeline highlights from TTUHSC notices and state/federal filings:
- Sep 2024 — Systems disruption; investigation confirms unauthorized access/exfiltration.
- Late 2024 — HHS OCR breach reports for HSC and El Paso (~1.46M combined in earlier tallies).
- Jan 24, 2025 — File-level review milestones cited in legal summaries.
- Apr 9–27, 2026 — Consumer notices and Texas OAG publication.

Independent Cybersecurity Audit
| Domain | Overall | Identity | Transport | Website | Risk vs 100% ideal |
|---|---|---|---|---|---|
| ttuhsc.edu | 44% | 25% | 15% | 45% | Below Average |
| ttu.edu | 34% | 0% | 15% | 45% | Weak |
Key findings:
- 44% / 34% overall — nowhere near the 100% ideal for a health-sciences estate holding SSNs and PHI.
ttu.eduat 0% Identity — spoofed@ttu.edufinancial-aid, payroll, or “IDX enrollment” phishing is an acute post-breach risk.- 15% Transport on both domains — inbound clinical and student mail can still be downgraded without MTA-STS enforce.
- 100% Email Infrastructure shows hosting is fine; policy enforcement is not.

Audit links: ttuhsc.edu · ttu.edu
Priority Actions
If you received a TTUHSC notice: Enroll in monitoring only via the letter’s official instructions. Treat any unexpected “verify IDX / medical portal” email as suspect.
For academic medical IT: Enforce DMARC reject on HSC and parent .edu domains; deploy MTA-STS enforce; segment clinical identity from marketing senders.
Related Trackers
audit.emailmenow.com · Contact
Sources: Texas OAG breach reports · BleepingComputer — TTU System breach · TTUHSC El Paso notice · EmailMeNow audits