San Antonio, TX – June 29, 2026 – Community First Health Plans, Inc. (Community First), the only locally owned and managed nonprofit health plan in the Bexar Service Delivery Area, is today notifying affected Community First Members about a data security incident that involved some personal information, including protected health information.
What Happened
On the evening of April 29, 2026, a Community First employee uploaded a file containing personal information of some Community First members to ChatGPT from a home computer network, circumventing Community First firewall safeguards and violating Community First policy. Community First does not utilize ChatGPT, and our systems immediately detected the violation and notified our IT department.
The next morning, Community First leaders launched an investigation, revoked the employee’s access to Community First systems, directed and verified that the employee had deleted all personal information from their ChatGPT account, and contacted OpenAI, LLC (the operator of ChatGPT) to demand deletion of any related data. Community First retrieved all personal information from the employee and promptly ended with its relationship with the employee.
What Information Was Involved
Based on our investigation, the following categories of information related to our Members may have been affected: name, address, date of birth, member identification number, and prescription drug information.
What We Are Doing
The privacy and security of our members’ personal information is our priority. Upon discovering the incident, Community First took the immediate steps described above and has notified the applicable federal and state agencies as required by law. In addition, Community First is working to implement authorized log-on time windows for employees, and mandatory VPN connectivity to systems at all times to prevent future firewall bypass. We have also revised relevant policies and procedures, retrained our workforce, and distributed additional reminders to all staff regarding the prohibition on the use of unauthorized artificial intelligence tools and the consequences of violating our policies. Community First will continue to implement additional safeguards in light of new technologies and best practices.
Information and Support for Affected Individuals
Community First is not aware of any impacted information having been misused, but out of an abundance of caution, we will be offering affected Members complimentary identity monitoring services for twelve (12) months. A description of those services and instructions on how to enroll will be mailed to affected Members directly.
Steps Members Can Take
Community First is not aware that anyone’s information has been misused as a result of this incident, but as a precautionary measure to safeguard information, Members are encouraged to take advantage of the data privacy resources enclosed in their notification letters, and to activate the identity monitoring services that Community First is providing to them. Members looking to ask questions or learn more information can email Community First at privacy@cfhp.com or call us at 800-434-2347 from 8:00 a.m. to 5:00 p.m. Central Time.
Media Contacts:
Judy Razo
Vice President, Experience & Growth
Community First Health Plans
(210) 358-6396
jrazo@cfhp.com
About Community First Health Plans
Community First Health Plans is dedicated to improving health outcomes and reducing disparities for diverse, historically underserved populations. Through innovative partnerships and community-driven initiatives, Community First continues to be a leader in providing quality healthcare solutions in the Texas region.