Beverly Hills Oncology Medical Group Data Breach 2025: 57,655 Cancer Patients Exposed. What Was Stolen and What To Do
Beverly Hills Oncology Medical Group (CA) disclosed a network intrusion that ran February 7 to 11, 2025 and was not reported until October 31, 2025 — roughly eight months after detection. The HHS OCR portal lists 57,655 affected individuals. Names, Social Security numbers, government IDs, financial and insurance data, and oncology treatment records were potentially exfiltrated. Two class-action lawsuits were filed in Los Angeles Superior Court on November 7, 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 7, 2025
Unauthorized network access begins, per the forensic investigation cited in the notification letter
Feb 11, 2025
Unauthorized access identified and blocked; outside cybersecurity firm engaged
Oct 13, 2025
Forensic file review concludes; entity determines personal data may have been removed
Oct 31, 2025
Filed with HHS OCR (57,655 individuals, Hacking/IT Incident, Network Server) and California Attorney General and Maine Attorney General; individual notification letters begin mailing
Oct 31, 2025
Disclosed publicly
Nov 3, 2025
Filed with Massachusetts Attorney General (OCABR)
Nov 6, 2025
Sample notification letter posted by New Hampshire Attorney General; additional AG filings submitted to Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington Attorneys General
Nov 7, 2025
Mejia v. Beverly Hills Oncology Medical Group Inc and Zrihen v. Beverly Hills Cancer Center filed in Los Angeles County Superior Court
Feb 7, 2025
Unauthorized network access begins, per the forensic investigation cited in the notification letter
Feb 11, 2025
Unauthorized access identified and blocked; outside cybersecurity firm engaged
Oct 13, 2025
Forensic file review concludes; entity determines personal data may have been removed
Oct 31, 2025
Filed with HHS OCR (57,655 individuals, Hacking/IT Incident, Network Server) and California Attorney General and Maine Attorney General; individual notification letters begin mailing
Oct 31, 2025
Disclosed publicly
Nov 3, 2025
Filed with Massachusetts Attorney General (OCABR)
Nov 6, 2025
Sample notification letter posted by New Hampshire Attorney General; additional AG filings submitted to Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington Attorneys General
Nov 7, 2025
Mejia v. Beverly Hills Oncology Medical Group Inc and Zrihen v. Beverly Hills Cancer Center filed in Los Angeles County Superior Court
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Beverly Hills Oncology Medical Group is a community oncology practice operating in Los Angeles County, California, also known publicly as Beverly Hills Cancer Center. On October 31, 2025, the practice filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights reporting 57,655 affected individuals, classified as a Hacking/IT Incident involving a Network Server, and began mailing individual notification letters that same day. The intrusion itself occurred more than eight months earlier, between February 7 and February 11, 2025. The Inc Ransom ransomware group claimed responsibility on its dark-web leak site.
The roughly eight-month gap between detection and notification is the dominant fact of this incident. HIPAA’s breach-notification rule requires covered entities to notify affected individuals within 60 days of discovery. Beverly Hills Oncology has stated the delay reflects the time required to identify which individuals were in the affected files. That explanation is now part of the public record and is a central allegation in the class-action filings already on the docket.
Timeline
- February 7, 2025. Unauthorized actor first gains access to the Beverly Hills Oncology Medical Group network, per the forensic investigation referenced in the notification letter.
- February 11, 2025. Unauthorized access is identified and blocked. The practice engages an outside cybersecurity firm and begins forensic review.
- February to October 2025. File-by-file review of potentially accessed data. The Inc Ransom ransomware group lists Beverly Hills Oncology on its extortion portal during this period.
- October 13, 2025. Forensic review concludes. The practice determines that personal information may have been removed from the network.
- October 31, 2025. Beverly Hills Oncology files a breach report with the HHS Office for Civil Rights (57,655 individuals, Hacking/IT Incident, Network Server) and submits notice to the California Attorney General. Individual notification letters begin mailing.
- November 3, 2025. Notice filed with the Massachusetts Attorney General (OCABR).
- November 6, 2025. Sample notification letter posted by the New Hampshire Attorney General’s office, making the verbatim notice publicly retrievable. Additional AG filings submitted to Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington Attorneys General.
- November 7, 2025. Two class-action complaints are filed in Los Angeles County Superior Court: Mejia v. Beverly Hills Oncology Medical Group Inc (brought by Strauss Borrelli PLLC) and Zrihen v. Beverly Hills Cancer Center (brought by Bryson Harris Suciu & Demay).
What was exposed
The notification letter confirms that data elements potentially accessed or acquired between February 7 and February 11, 2025 include, depending on the individual:
- Full name
- Social Security number
- Driver’s license number or other government identification number
- Financial account information
- Credit or debit card information
- Health insurance policy information
- Diagnosis information
- Treatment information
- Prescription information
- Other clinical information
The data inventory combines two categories that are individually high-value to attackers: full identity packages (name, SSN, government ID, financial account) and oncology clinical detail (diagnosis, treatment, prescription).
Sensitive-population context: oncology records
Oncology records carry a category of sensitivity that generic healthcare breaches do not. A community oncology chart routinely contains:
- Cancer diagnosis and staging. Once disclosed, it cannot be undisclosed. It affects employability, insurability, and family-member risk perception.
- Genetic and biomarker testing results. Targeted therapies for breast, ovarian, colorectal, and other cancers are prescribed on the basis of germline (inherited) and somatic (tumor) genomic testing. Germline results carry implications for blood relatives. The notification letter does not specifically itemize genetic results, but oncology medical records routinely contain them, and the letter’s “treatment information” and “other clinical information” categories do not exclude them.
- Treatment regimens. Chemotherapy protocols, radiation plans, surgical history, and current medication lists are part of any active oncology record.
These records do not expire. A credit-monitoring product cannot un-disclose a Stage III breast-cancer diagnosis or a BRCA1 result. That is the underlying reason oncology breaches generate plaintiff investigations more reliably than the average healthcare breach.
What Beverly Hills Oncology is offering
Affected individuals are being offered complimentary identity-protection services through Epiq – Privacy Solutions ID. The notification letter template — publicly available via the California AG and state AG portals — shows the offer as either 12 or 24 months depending on the individual’s record. The product includes single-bureau credit monitoring, identity-theft insurance, dark-web monitoring, and identity-restoration support. The enrollment deadline and specific duration are printed on each individual’s letter.
Enrollment instructions and an activation code are included in each individual’s notification letter. Beverly Hills Oncology has stated that, as of the notification date, it has no reports of identity fraud or improper use of the affected data.
Class-action posture
Two class-action complaints have already been filed in Los Angeles County Superior Court, both on November 7, 2025:
- Mejia v. Beverly Hills Oncology Medical Group Inc — brought by Strauss Borrelli PLLC.
- Zrihen v. Beverly Hills Cancer Center — brought by Bryson Harris Suciu & Demay.
Additional plaintiff firms publicly investigating claims include Edelson Lechtzin LLP, Federman & Sherwood, Murphy Law Firm, The Lyon Firm, Shamis & Gentile P.A., Potter Handy, Cafferty Clobes Meriwether & Sprengel LLP, Migliaccio & Rathod LLP, and Emery Reddy PC.
Plaintiff theories are likely to focus on three points: (1) negligence in network security that allowed an intrusion to persist for the full five-day access window, (2) the roughly eight-month delay between February detection and October notification, which exceeds HIPAA’s 60-day clock and may implicate California’s Confidentiality of Medical Information Act and Unfair Competition Law, and (3) the sensitivity of oncology records relative to the credit-monitoring remedy offered.
What to do
This week:
- Activate the Epiq Privacy Solutions ID coverage using the activation code in your notification letter. The notification letter specifies whether your enrollment period is 12 or 24 months. Enroll before the deadline printed on your letter; the window is not open indefinitely.
- Place a free credit freeze at Equifax, Experian, and TransUnion. With Social Security number, driver’s license, and financial-account information all in scope, a freeze is the highest-leverage defensive step.
- Review your insurance Explanation of Benefits statements for any oncology, infusion, imaging, lab, or pharmacy claims you do not recognize. Medical identity theft using exposed insurance data is the underreported risk in oncology-data breaches.
This month:
- Stop the ongoing flow of your oncology data downstream. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the diagnoses and treatment data exposed in this breach are not continuously re-shared and sold by data brokers and ad-tech platforms.
- Consider whether to join a class action. Two complaints have been filed and additional firms are accepting affected individuals into their investigations. We are not a law firm and do not give legal advice.
- Keep the notification letter. It contains your activation code and is the document plaintiff firms and the OCR will reference if you make a claim or complaint.
Sources
- HIPAA Journal: OB-GYN Associates & Beverly Hills Oncology Medical Group Issue Breach Notifications confirms the 57,655 affected count on the HHS OCR portal, the February 7 to 11 access window, the October 13 forensic conclusion, the October 31 notification date, and the 12-month credit-monitoring offer.
- Newsweek: Beverly Hills Oncology Medical Group Data Breach Under Investigation corroborates the data categories exposed and notification timing.
- California Attorney General Breach List the state regulator’s filing index for breaches affecting California residents.
- Strauss Borrelli PLLC: Beverly Hills Oncology Medical Group Data Breach Investigation plaintiff-firm investigation notice that became the Mejia complaint on November 7, 2025.
- ClassAction.org: Beverly Hills Oncology Medical Group Data Breach Exposes Personal Info overview of the class-action landscape and data elements.
- Law.com Radar: Mejia v. Beverly Hills Oncology Medical Group Inc docket entry for the first filed class action.
- Law.com Radar: Zrihen v. Beverly Hills Cancer Center docket entry for the second filed class action.
- HIPAA Times: Beverly Hills Oncology Medical Group Reports Breach 9 Months Later analysis of the notification delay against the HIPAA 60-day rule.
- HHS Office for Civil Rights Breach Portal the federal regulatory record of this breach (Hacking/IT Incident, Network Server, 57,655 individuals).
- Claim Depot: Beverly Hills Oncology Reports 5-Day Data Breach (updated April 28, 2026) confirms AG filing disclosures across California, Maine, Massachusetts, New Hampshire, Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington.
- Beverly Hills Oncology Medical Group notification letter template the verbatim notice letter showing the Epiq enrollment offer as a 12- or 24-month membership depending on the individual’s record.
- Cafferty Clobes Meriwether & Sprengel LLP investigation confirms additional plaintiff firm investigation launched November 7, 2025.
- Migliaccio & Rathod LLP investigation confirms additional plaintiff firm investigation.
HealthConsent is independent and is not affiliated with Beverly Hills Oncology Medical Group, Beverly Hills Cancer Center, or any of the firms listed above.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: OB-GYN Associates & Beverly Hills Oncology Medical Group Issue Breach Notifications
- Newsweek: Beverly Hills Oncology Medical Group Data Breach Under Investigation
- California Attorney General Breach List
- Strauss Borrelli PLLC: Beverly Hills Oncology Medical Group Data Breach Investigation
- ClassAction.org: Beverly Hills Oncology Medical Group Data Breach Exposes Personal Info
- Law.com Radar: Mejia v. Beverly Hills Oncology Medical Group Inc
- Law.com Radar: Zrihen v. Beverly Hills Cancer Center
- HIPAA Times: Beverly Hills Oncology Medical Group Reports Breach 9 Months Later
- HHS Office for Civil Rights Breach Portal
- Claim Depot: Beverly Hills Oncology Reports 5-Day Data Breach (updated April 28, 2026)
- Beverly Hills Oncology Medical Group notification letter template (via ClassAction.org)
- Cafferty Clobes Meriwether & Sprengel LLP: Beverly Hills Oncology Medical Group Data Breach Investigation
- Migliaccio & Rathod LLP: Beverly Hills Oncology Medical Group Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.