Healthcare Provider Email and Network Intrusions Expose Patient Data
General Physician, P.C. agreed to pay $2.5 million to settle consolidated class-action litigation tied to a 2024 email-environment compromise that exposed sensitive patient data. The organization detected suspicious activity on June 12, 2024, and a forensic investigation found an unauthorized party had accessed its email system from April 6 to June 12, 2024. Potentially exposed data included SSNs, financial account information, dates of birth, medical and treatment details, diagnoses, medical record numbers, and insurance information; the affected population was later updated to 167,387 individuals (after an initial placeholder report of 501 to HHS OCR). The settlement fund is intended to provide class benefits after fees/expenses, and the company did not admit wrongdoing.
Two additional California healthcare providers reported separate security incidents involving unauthorized access to systems containing patient information. Valley Radiology Consultants Medical Group identified a breach on September 15, 2025, engaged third-party incident response support, confirmed unauthorized access to its network and files, and began mailing notifications after completing file review on February 18, 2026; it also offered 12 months of credit monitoring and reported taking remediation steps (e.g., password changes and security enhancements). Nephrology Associates Medical Group separately began notifying patients about a cyberattack first identified on May 20, 2025 (details in the provided excerpt are truncated), indicating another healthcare-sector intrusion with patient data exposure risk.
Timeline
Mar 4, 2026
Two California medical groups publicly announce separate breaches
Valley Radiology Consultants Medical Group and Nephrology Associates Medical Group publicly disclosed separate data breaches involving unauthorized access to patient information.
Mar 4, 2026
General Physician agrees to $2.5 million breach settlement
General Physician, P.C. agreed to pay $2.5 million to settle consolidated class action litigation arising from its 2024 email-system data breach affecting a large patient population.
Mar 4, 2026
Valley Radiology begins notifying affected individuals
Valley Radiology began mailing notification letters to affected patients and offered 12 months of complimentary single-bureau credit monitoring services.
Feb 18, 2026
Valley Radiology completes file review
Valley Radiology completed its review of the affected files, determining what patient information was involved in the breach.
Sep 15, 2025
Valley Radiology identifies data breach
Valley Radiology Consultants Medical Group identified a security incident on September 15, 2025 and later confirmed unauthorized access to files on its network.
Jun 4, 2025
Court grants preliminary approval of General Physician settlement
A court granted preliminary approval to General Physician's $2.5 million class action settlement, with a final fairness hearing scheduled for June 4, 2025.
May 20, 2025
Nephrology Associates identifies suspicious network activity
Nephrology Associates Medical Group identified suspicious activity on its network and later confirmed that an unauthorized third party had accessed the network and exfiltrated files containing sensitive data.
Jun 12, 2024
General Physician detects suspicious activity
General Physician detected suspicious activity in its email environment on June 12, 2024, prompting an investigation into the breach.
Apr 6, 2024
General Physician email system accessed by unauthorized party
A forensic investigation found that an unauthorized third party accessed General Physician, P.C.'s email environment between April 6, 2024 and June 12, 2024, potentially exposing patient, financial, and health information.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Healthcare Privacy and Data Breach Class-Action Settlements
Several healthcare organizations are resolving class-action litigation tied to alleged exposure of sensitive patient data, with settlements emphasizing cost avoidance rather than admissions of wrongdoing. **Kaiser Permanente** agreed to a **$46 million** settlement over claims that patient interactions with certain Kaiser websites and digital tools resulted in personal health information being transmitted to third parties (including **Google, Microsoft Bing, Twitter/X, and Adobe**) via online tracking/advertising technologies; the allegations focus on web/digital activity rather than Kaiser’s core electronic medical record systems, and the proposed class period spans **2017–2024**. Separately, two healthcare entities reached settlements following **network intrusions** that allegedly exposed protected health information and other sensitive identifiers. **Mystic Valley Elder Services** agreed to pay **$520,000** to settle claims stemming from an **April 2024** incident in which attackers accessed its network and potentially obtained data including SSNs, financial/payment data, credentials, and medical/insurance information affecting **~89,600** people; plaintiffs also alleged delayed detection and notification. **Consulting Radiologists Ltd.** received approval for a **$2.2 million** settlement after a 2024 intrusion affecting up to **583,824** individuals, with allegations including inadequate security controls and delayed breach notification; the organization reported that some impacted records included medical/insurance data and SSNs (for a subset of individuals).
1 months ago
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
1 months ago
Healthcare Data Breach Notifications and Settlement Involving Patient Information Exposure
Multiple healthcare-related organizations disclosed **separate** incidents involving exposure or theft of patient data. Delta Medical Systems reported unauthorized access to its email environment on July 15, 2025, with potentially exposed data including names, dates of birth, Social Security numbers, driver’s license information, bank details, insurance information, and medical information. A separate HIPAA Journal report described additional incidents at Cedar Valley Services, Community Nurse, and Health Dimensions Group, including a likely **Qilin ransomware** intrusion at Cedar Valley Services and a vendor-linked compromise affecting Community Nurse through *Doctor Alliance*, where files may have been accessed between October 31 and November 17, 2025. In a different but related healthcare privacy matter, a judge approved a **$5 million settlement** in litigation against Geisinger Health and *Nuance Communications* over the theft of medical records affecting roughly **1.3 million patients** by a former Nuance employee. The stolen records reportedly included names, birthdates, addresses, medical record numbers, treatment details, and insurance information. While all three reports concern healthcare data exposure, they describe **distinct incidents** rather than one unified breach event, spanning direct compromises, third-party/vendor exposure, suspected ransomware activity, and post-incident legal resolution.
1 months ago