Almeida Law Group is investigating a data breach at University of St. Thomas- Houston. The breach occurred on July 25, 2025, and was discovered on March 24, 2026. If you were affected, contact Almeida Law Group.
About University of St. Thomas- Houston
The University of St. Thomas-Houston (USTH) is a private Catholic university founded in 1947 by the Basilian Fathers, located in the Montrose neighborhood of Houston, Texas. It is the only Catholic university in the Archdiocese of Galveston-Houston and enrolls approximately 4,300 students, offering undergraduate liberal arts programs as well as graduate and doctoral degrees. Given its role as a university, USTH maintains extensive personal records for students, staff, donors, and other community members, making the types of data involved in this breach particularly concerning.
What Happened?
University of St. Thomas- Houston was listed in a Maine Attorney General filing on May 26, 2026, in connection with an external system breach (hacking). According to the notice, USTH became aware of suspicious activity within its computer network on or about August 12, 2025. An investigation determined that an unauthorized actor accessed certain systems between July 25, 2025, and August 12, 2025, and that certain files were accessed and/or acquired during that time. The compromised information includes names, Social Security numbers, dates of birth, and security questions/answers. USTH is offering affected individuals 12 months of credit monitoring and identity theft protection through Experian IdentityWorks, with an enrollment deadline of August 31, 2026. The total number of persons affected was not disclosed in the filing. Consumer notification letters were sent on May 26, 2026.
The ransomware group INC RANSOM claimed responsibility for the attack on August 21, 2025, stating it had exfiltrated approximately 1.8 terabytes of data. Investigators found at least 630,000 USTH files posted on the dark web, which reportedly included not only Social Security numbers and dates of birth but also passports, driver’s license information, logins and passwords, bank and credit card details, donor contact information, staff criminal records, vaccination records, student home addresses, confidential settlement agreements, and records from sexual-misconduct investigations. The breach coincided with a transition of IT providers from Ellucian to OculusIT, during which USTH’s then-CIO had reportedly raised cybersecurity alarms, warning that endpoint protection had not been installed on newly provisioned servers. Despite the university detecting suspicious activity in August 2025 and data appearing on the dark web by late 2025, consumer notifications were not sent until May 2026. Multiple law firms, including Shamis & Gentile P.A. and Markovits, Stock & DeMarco, have opened investigations into potential class action claims, though no filed lawsuit has been confirmed.
Key Facts at a Glance
- Company or Organization: University of St. Thomas- Houston
- Industry: Higher Education (Private Catholic University)
- Location: 3800 Montrose Blvd, Houston, TX 77006
- Incident type: External system breach (hacking) / Ransomware (INC RANSOM)
- Date of breach: July 25, 2025 – August 12, 2025
- Date breach discovered: March 24, 2026
- Date of consumer notification: May 26, 2026
- Identity theft protection offered: 12 months of credit monitoring and identity theft services through Experian IdentityWorks
- Enrollment deadline: August 31, 2026
- Litigation status: Multiple law firm investigations opened; no confirmed filed class action
- Source: Maine Attorney General filing; ABC13 Houston; DataBreaches.net; Hoodline
What Should You Do?
If you received a notification letter from USTH, enroll in the complimentary Experian IdentityWorks credit monitoring and identity theft protection services before the August 31, 2026 deadline. Consider placing a fraud alert or credit freeze on your credit files with Equifax, Experian, and TransUnion to prevent unauthorized accounts from being opened in your name. Monitor your bank accounts, credit card statements, and credit reports closely for any suspicious activity. You can obtain free credit reports at AnnualCreditReport.com. If you suspect identity theft, report it at IdentityTheft.gov and file a report with local law enforcement. Given that the leaked data reportedly included a wide range of sensitive information beyond what the notification letter described, remain especially vigilant and consider changing passwords and security questions for any accounts that may have used the same credentials.
Your Legal Rights
If your personal information was involved in this breach, you may have legal rights depending on the facts of the incident and the law in your state. Almeida Law Group represents consumers in data breach and privacy litigation and can help you evaluate whether you may have a claim. Contact us at (708) 529-5418 or through our contact page for a free case evaluation.
