Active breach tracker CA Disclosed April 30, 2025

Berkeley Research Group, LLC Data Breach 2025: 500 Affected · Hacking/IT Incident · CA. Filed With HHS OCR. What To Do.

Berkeley Research Group, LLC (CA) filed a HIPAA breach notification with the HHS Office for Civil Rights on April 30, 2025, reporting 500 affected individuals in a Hacking/IT Incident event at Network Server. The HHS OCR portal entry is the primary public record; further details are not yet publicly disclosed on thi...

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 28, 2025

Unauthorized actor gains access to BRG's network

Mar 2, 2025

BRG identifies suspicious activity and ejects the attacker

Apr 30, 2025

BRG submits HIPAA breach report to HHS OCR (500 affected, interim)

Dec 15, 2025

BlueCross BlueShield of Tennessee notifies approximately 1,650 members affected via BRG's BA role

Feb 13, 2026

BCBS Tennessee publishes public notice of the BRG incident

Data exposed

03

Contact & insurance

Phishing + targeted scams

Not publicly disclosed beyond 'Network Server' on the OCR portal
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Berkeley Research Group, LLC (BRG), a California-headquartered consulting and expert-services firm, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on April 30, 2025, reporting 500 affected individuals as an interim figure tied to a Hacking/IT Incident at a Network Server. BRG is logged on the OCR portal as a Business Associate. Public reporting and BRG’s own notice describe a ransomware intrusion between February 28 and March 2, 2025, with reporting tied to “Chaos” ransomware and an attacker who impersonated an IT worker to gain access. Downstream covered entities — including BlueCross BlueShield of Tennessee — issued their own notifications in late 2025 and early 2026 as BRG’s review identified individuals whose data the firm held in its role as expert and advisory consultant.

Timeline

  • February 28 – March 2, 2025 — Unauthorized actor accesses BRG’s network and copies files before being removed.
  • March 2, 2025 — BRG detects suspicious activity, ejects the attacker, and retains Octillo Law and Booz Allen Hamilton for incident response.
  • April 30, 2025 — BRG files HIPAA breach report with HHS OCR listing 500 affected individuals (interim).
  • December 15, 2025 — BlueCross BlueShield of Tennessee notifies approximately 1,650 members whose data was held by BRG as a business associate.
  • February 13, 2026 — BCBS Tennessee publishes its public notice of the BRG incident.

Data exposed

Per BRG’s own notice and downstream covered-entity disclosures, information involved across affected populations may include:

  • Name, address, and date of birth
  • Social Security number, tax identification number
  • Passport number and driver’s license or other government ID number
  • Financial account and bank account information; payment card numbers
  • Login credentials
  • Medical information and health insurance information (including health plan member IDs, group numbers, patient account numbers, and provider names for BCBS Tennessee members)

Not every affected individual had every element exposed. The OCR portal entry describes the location of the breached data as a Network Server.

What BRG and its covered-entity clients are offering

BRG’s own substitute notice points affected individuals to free annual credit reports from Equifax, Experian, and TransUnion via annualcreditreport.com rather than offering BRG-funded credit monitoring directly. Downstream covered entities have made their own offers: BlueCross BlueShield of Tennessee is providing 24 months of complimentary identity monitoring through Kroll, including credit monitoring, fraud consultation, and identity-theft restoration. If you receive a notification letter referencing the BRG incident, read it carefully — the specific offering may depend on which covered entity sent your data to BRG.

Class-action activity

Multiple plaintiff firms — including Dapeer Law, Shamis & Gentile, Console & Associates, Srourian Law Firm, Federman & Sherwood, and Cole & Van Note — have publicly announced investigations into potential class claims arising from the BRG incident. As of this writing no consolidated class-action complaint has been confirmed in the public sources we monitor; investigations were active through late 2025 and into 2026. The matter has drawn unusual scrutiny because BRG served as financial advisor in roughly a dozen Catholic diocesan bankruptcy cases involving clergy sexual abuse survivors, and the U.S. Department of Justice raised concerns about the potential exposure of survivor data tied to those proceedings.

What to do if you may be affected

  • Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the highest-leverage step against new-account identity theft. Given that SSNs, tax IDs, and bank/payment card data are in scope for at least some affected individuals, a freeze is the right default here.
  • If you receive a Kroll enrollment code from BlueCross BlueShield of Tennessee or another covered entity that used BRG, enroll. Twenty-four months of monitoring with restoration support is a real benefit.
  • Watch for a notification letter at the address on file with BRG or with the covered entity whose data BRG held. Letters typically arrive in waves and will list the specific data elements involved for you.
  • Be skeptical of unsolicited contact referencing this breach. Calls, texts, or emails that pressure you to “verify” your SSN, bank credentials, or insurance information are a phishing pattern, not legitimate breach response.
  • Bookmark this page. We update it as new substitute notices, state attorney general filings, or court filings become available.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.