Healthcare Provider Email and Network Intrusions Expose Patient Data
General Physician, P.C. agreed to pay $2.5 million to settle consolidated class-action litigation tied to a 2024 email-environment compromise that exposed sensitive patient data. The organization detected suspicious activity on June 12, 2024, and a forensic investigation found an unauthorized party had accessed its email system from April 6 to June 12, 2024. Potentially exposed data included SSNs, financial account information, dates of birth, medical and treatment details, diagnoses, medical record numbers, and insurance information; the affected population was later updated to 167,387 individuals (after an initial placeholder report of 501 to HHS OCR). The settlement fund is intended to provide class benefits after fees/expenses, and the company did not admit wrongdoing.
Two additional California healthcare providers reported separate security incidents involving unauthorized access to systems containing patient information. Valley Radiology Consultants Medical Group identified a breach on September 15, 2025, engaged third-party incident response support, confirmed unauthorized access to its network and files, and began mailing notifications after completing file review on February 18, 2026; it also offered 12 months of credit monitoring and reported taking remediation steps (e.g., password changes and security enhancements). Nephrology Associates Medical Group separately began notifying patients about a cyberattack first identified on May 20, 2025 (details in the provided excerpt are truncated), indicating another healthcare-sector intrusion with patient data exposure risk.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Two California medical groups publicly announce separate breaches
Valley Radiology Consultants Medical Group and Nephrology Associates Medical Group publicly disclosed separate data breaches involving unauthorized access to patient information.
General Physician agrees to $2.5 million breach settlement
General Physician, P.C. agreed to pay $2.5 million to settle consolidated class action litigation arising from its 2024 email-system data breach affecting a large patient population.
Valley Radiology begins notifying affected individuals
Valley Radiology began mailing notification letters to affected patients and offered 12 months of complimentary single-bureau credit monitoring services.
Valley Radiology completes file review
Valley Radiology completed its review of the affected files, determining what patient information was involved in the breach.
Valley Radiology identifies data breach
Valley Radiology Consultants Medical Group identified a security incident on September 15, 2025 and later confirmed unauthorized access to files on its network.
Court grants preliminary approval of General Physician settlement
A court granted preliminary approval to General Physician's $2.5 million class action settlement, with a final fairness hearing scheduled for June 4, 2025.
Nephrology Associates identifies suspicious network activity
Nephrology Associates Medical Group identified suspicious activity on its network and later confirmed that an unauthorized third party had accessed the network and exfiltrated files containing sensitive data.
General Physician detects suspicious activity
General Physician detected suspicious activity in its email environment on June 12, 2024, prompting an investigation into the breach.
General Physician email system accessed by unauthorized party
A forensic investigation found that an unauthorized third party accessed General Physician, P.C.'s email environment between April 6, 2024 and June 12, 2024, potentially exposing patient, financial, and health information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
teiss - News - General Physician, P.C. agrees to $2.5 million settlement over 2024 data breach affecting patient records
teiss.co.uk
Open sourceGeneral Physician Pays $2.5 Million to Settle Data Breach Litigation
hipaajournal.com
Open sourceTwo California Medical Groups Announce Data Breaches
hipaajournal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Privacy and Data Breach Class-Action Settlements
Several healthcare organizations are resolving class-action litigation tied to alleged exposure of sensitive patient data, with settlements emphasizing cost avoidance rather than admissions of wrongdoing. **Kaiser Permanente** agreed to a **$46 million** settlement over claims that patient interactions with certain Kaiser websites and digital tools resulted in personal health information being transmitted to third parties (including **Google, Microsoft Bing, Twitter/X, and Adobe**) via online tracking/advertising technologies; the allegations focus on web/digital activity rather than Kaiser’s core electronic medical record systems, and the proposed class period spans **2017–2024**. Separately, two healthcare entities reached settlements following **network intrusions** that allegedly exposed protected health information and other sensitive identifiers. **Mystic Valley Elder Services** agreed to pay **$520,000** to settle claims stemming from an **April 2024** incident in which attackers accessed its network and potentially obtained data including SSNs, financial/payment data, credentials, and medical/insurance information affecting **~89,600** people; plaintiffs also alleged delayed detection and notification. **Consulting Radiologists Ltd.** received approval for a **$2.2 million** settlement after a 2024 intrusion affecting up to **583,824** individuals, with allegations including inadequate security controls and delayed breach notification; the organization reported that some impacted records included medical/insurance data and SSNs (for a subset of individuals).
Mar 21, 2026
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026
Healthcare Data Breach Notifications and Settlement Involving Patient Information Exposure
Multiple healthcare-related organizations disclosed **separate** incidents involving exposure or theft of patient data. Delta Medical Systems reported unauthorized access to its email environment on July 15, 2025, with potentially exposed data including names, dates of birth, Social Security numbers, driver’s license information, bank details, insurance information, and medical information. A separate HIPAA Journal report described additional incidents at Cedar Valley Services, Community Nurse, and Health Dimensions Group, including a likely **Qilin ransomware** intrusion at Cedar Valley Services and a vendor-linked compromise affecting Community Nurse through *Doctor Alliance*, where files may have been accessed between October 31 and November 17, 2025. In a different but related healthcare privacy matter, a judge approved a **$5 million settlement** in litigation against Geisinger Health and *Nuance Communications* over the theft of medical records affecting roughly **1.3 million patients** by a former Nuance employee. The stolen records reportedly included names, birthdates, addresses, medical record numbers, treatment details, and insurance information. While all three reports concern healthcare data exposure, they describe **distinct incidents** rather than one unified breach event, spanning direct compromises, third-party/vendor exposure, suspected ransomware activity, and post-incident legal resolution.
Mar 21, 2026