Two California Medical Groups Announce Data Breaches
Data breaches have recently been announced by two California medical groups – Valley Radiology Consultants Medical Group, which serves San Diego County, and Nephrology Associates Medical Group, which serves the Riverside and San Bernardino counties.
Valley Radiology Consultants Medical Group
Valley Radiology Consultants Medical Group in California has announced a security incident and data breach that was first identified on September 15, 2025. Immediate action was taken to secure its network, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity. The investigation confirmed unauthorized access to its network and files containing patient information. On February 18, 2026, the file review was concluded, and Valley Radiology Consultants Medical Group obtained the final list of individuals to notify.
There is currently no substitute data breach notice on its website, and the notice submitted to the California Attorney General has the types of data involved redacted. Individual notices include the types of information compromised in the incident. Valley Radiology Consultants Medical Group said it has changed passwords, enhanced systems security, and taken steps to reduce the risk of future harm. Notification letters are now being mailed, and the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months. The incident is not yet shown on the HHS’ Office for Civil Rights data breach portal, so it is currently unclear how many individuals have been affected.
Nephrology Associates Medical Group
Nephrology Associates Medical Group in California has started notifying patients about a cyberattack and data breach that was first identified on May 20, 2025. Nephrology Associates Medical Group identified suspicious activity within its network and took immediate action to secure its systems and prevent further unauthorized access. Assisted by third-party cybersecurity experts, Nephrology Associates Medical Group confirmed that an unauthorized third party had accessed its network and exfiltrated files, including files containing patient information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The file review has recently been completed, and Nephrology Associates Medical Group has confirmed that names, dates of birth, Social Security numbers, medical/health information, diagnoses, treatment information, health insurance information, billing/payment information, and credentialing information were involved. The impacted data varies from individual to individual. The substitute data breach notice makes no mention of credit monitoring and identity theft protection services.
Nephrology Associates Medical Group has taken several steps in response to the data breach to strengthen security, including enforcing stronger password requirements, mandating more frequent required password changes, reducing access permissions, and switching to offline storage of older data. The incident is not yet shown on the HHS’ Office for Civil Rights data breach portal, so it is currently unclear how many individuals have been affected.
