Active breach tracker California Disclosed October 31, 2025

Beverly Hills Oncology Medical Group Data Breach 2025: 57,655 Cancer Patients Exposed. What Was Stolen and What To Do

Beverly Hills Oncology Medical Group (CA) disclosed a network intrusion that ran February 7 to 11, 2025 and was not reported until October 31, 2025 — roughly eight months after detection. The HHS OCR portal lists 57,655 affected individuals. Names, Social Security numbers, government IDs, financial and insurance data, and oncology treatment records were potentially exfiltrated. Two class-action lawsuits were filed in Los Angeles Superior Court on November 7, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 7, 2025

Unauthorized network access begins, per the forensic investigation cited in the notification letter

Feb 11, 2025

Unauthorized access identified and blocked; outside cybersecurity firm engaged

Oct 13, 2025

Forensic file review concludes; entity determines personal data may have been removed

Oct 31, 2025

Filed with HHS OCR (57,655 individuals, Hacking/IT Incident, Network Server) and California Attorney General and Maine Attorney General; individual notification letters begin mailing

Oct 31, 2025

Disclosed publicly

Nov 3, 2025

Filed with Massachusetts Attorney General (OCABR)

Nov 6, 2025

Sample notification letter posted by New Hampshire Attorney General; additional AG filings submitted to Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington Attorneys General

Nov 7, 2025

Mejia v. Beverly Hills Oncology Medical Group Inc and Zrihen v. Beverly Hills Cancer Center filed in Los Angeles County Superior Court

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security number Driver's license or other government identification number

02

Health records

Don't expire and can't be reissued

Diagnosis information (oncology / cancer diagnoses) Treatment information Prescription information Other clinical information

03

Contact & insurance

Phishing + targeted scams

Full name Financial account information Credit or debit card information Health insurance policy information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC Bryson Harris Suciu & Demay Edelson Lechtzin LLP Federman & Sherwood Murphy Law Firm The Lyon Firm Shamis & Gentile, P.A. Potter Handy Cafferty Clobes Meriwether & Sprengel LLP Migliaccio & Rathod LLP Emery Reddy, PC
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Beverly Hills Oncology Medical Group is a community oncology practice operating in Los Angeles County, California, also known publicly as Beverly Hills Cancer Center. On October 31, 2025, the practice filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights reporting 57,655 affected individuals, classified as a Hacking/IT Incident involving a Network Server, and began mailing individual notification letters that same day. The intrusion itself occurred more than eight months earlier, between February 7 and February 11, 2025. The Inc Ransom ransomware group claimed responsibility on its dark-web leak site.

The roughly eight-month gap between detection and notification is the dominant fact of this incident. HIPAA’s breach-notification rule requires covered entities to notify affected individuals within 60 days of discovery. Beverly Hills Oncology has stated the delay reflects the time required to identify which individuals were in the affected files. That explanation is now part of the public record and is a central allegation in the class-action filings already on the docket.

Timeline

  • February 7, 2025. Unauthorized actor first gains access to the Beverly Hills Oncology Medical Group network, per the forensic investigation referenced in the notification letter.
  • February 11, 2025. Unauthorized access is identified and blocked. The practice engages an outside cybersecurity firm and begins forensic review.
  • February to October 2025. File-by-file review of potentially accessed data. The Inc Ransom ransomware group lists Beverly Hills Oncology on its extortion portal during this period.
  • October 13, 2025. Forensic review concludes. The practice determines that personal information may have been removed from the network.
  • October 31, 2025. Beverly Hills Oncology files a breach report with the HHS Office for Civil Rights (57,655 individuals, Hacking/IT Incident, Network Server) and submits notice to the California Attorney General. Individual notification letters begin mailing.
  • November 3, 2025. Notice filed with the Massachusetts Attorney General (OCABR).
  • November 6, 2025. Sample notification letter posted by the New Hampshire Attorney General’s office, making the verbatim notice publicly retrievable. Additional AG filings submitted to Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington Attorneys General.
  • November 7, 2025. Two class-action complaints are filed in Los Angeles County Superior Court: Mejia v. Beverly Hills Oncology Medical Group Inc (brought by Strauss Borrelli PLLC) and Zrihen v. Beverly Hills Cancer Center (brought by Bryson Harris Suciu & Demay).

What was exposed

The notification letter confirms that data elements potentially accessed or acquired between February 7 and February 11, 2025 include, depending on the individual:

  • Full name
  • Social Security number
  • Driver’s license number or other government identification number
  • Financial account information
  • Credit or debit card information
  • Health insurance policy information
  • Diagnosis information
  • Treatment information
  • Prescription information
  • Other clinical information

The data inventory combines two categories that are individually high-value to attackers: full identity packages (name, SSN, government ID, financial account) and oncology clinical detail (diagnosis, treatment, prescription).

Sensitive-population context: oncology records

Oncology records carry a category of sensitivity that generic healthcare breaches do not. A community oncology chart routinely contains:

  • Cancer diagnosis and staging. Once disclosed, it cannot be undisclosed. It affects employability, insurability, and family-member risk perception.
  • Genetic and biomarker testing results. Targeted therapies for breast, ovarian, colorectal, and other cancers are prescribed on the basis of germline (inherited) and somatic (tumor) genomic testing. Germline results carry implications for blood relatives. The notification letter does not specifically itemize genetic results, but oncology medical records routinely contain them, and the letter’s “treatment information” and “other clinical information” categories do not exclude them.
  • Treatment regimens. Chemotherapy protocols, radiation plans, surgical history, and current medication lists are part of any active oncology record.

These records do not expire. A credit-monitoring product cannot un-disclose a Stage III breast-cancer diagnosis or a BRCA1 result. That is the underlying reason oncology breaches generate plaintiff investigations more reliably than the average healthcare breach.

What Beverly Hills Oncology is offering

Affected individuals are being offered complimentary identity-protection services through Epiq – Privacy Solutions ID. The notification letter template — publicly available via the California AG and state AG portals — shows the offer as either 12 or 24 months depending on the individual’s record. The product includes single-bureau credit monitoring, identity-theft insurance, dark-web monitoring, and identity-restoration support. The enrollment deadline and specific duration are printed on each individual’s letter.

Enrollment instructions and an activation code are included in each individual’s notification letter. Beverly Hills Oncology has stated that, as of the notification date, it has no reports of identity fraud or improper use of the affected data.

Class-action posture

Two class-action complaints have already been filed in Los Angeles County Superior Court, both on November 7, 2025:

  • Mejia v. Beverly Hills Oncology Medical Group Inc — brought by Strauss Borrelli PLLC.
  • Zrihen v. Beverly Hills Cancer Center — brought by Bryson Harris Suciu & Demay.

Additional plaintiff firms publicly investigating claims include Edelson Lechtzin LLP, Federman & Sherwood, Murphy Law Firm, The Lyon Firm, Shamis & Gentile P.A., Potter Handy, Cafferty Clobes Meriwether & Sprengel LLP, Migliaccio & Rathod LLP, and Emery Reddy PC.

Plaintiff theories are likely to focus on three points: (1) negligence in network security that allowed an intrusion to persist for the full five-day access window, (2) the roughly eight-month delay between February detection and October notification, which exceeds HIPAA’s 60-day clock and may implicate California’s Confidentiality of Medical Information Act and Unfair Competition Law, and (3) the sensitivity of oncology records relative to the credit-monitoring remedy offered.

What to do

This week:

  1. Activate the Epiq Privacy Solutions ID coverage using the activation code in your notification letter. The notification letter specifies whether your enrollment period is 12 or 24 months. Enroll before the deadline printed on your letter; the window is not open indefinitely.
  2. Place a free credit freeze at Equifax, Experian, and TransUnion. With Social Security number, driver’s license, and financial-account information all in scope, a freeze is the highest-leverage defensive step.
  3. Review your insurance Explanation of Benefits statements for any oncology, infusion, imaging, lab, or pharmacy claims you do not recognize. Medical identity theft using exposed insurance data is the underreported risk in oncology-data breaches.

This month:

  1. Stop the ongoing flow of your oncology data downstream. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the diagnoses and treatment data exposed in this breach are not continuously re-shared and sold by data brokers and ad-tech platforms.
  2. Consider whether to join a class action. Two complaints have been filed and additional firms are accepting affected individuals into their investigations. We are not a law firm and do not give legal advice.
  3. Keep the notification letter. It contains your activation code and is the document plaintiff firms and the OCR will reference if you make a claim or complaint.

Sources

HealthConsent is independent and is not affiliated with Beverly Hills Oncology Medical Group, Beverly Hills Cancer Center, or any of the firms listed above.

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.