California Cancer Associates for Research and Excellence – High Desert Data Breach 2025: 17,250 Oncology Patients Exposed in Dec 2024 Phishing Attack
cCARE – High Desert, the Victorville-area oncology clinic in the Integrated Oncology Network, reported a December 13–16, 2024 phishing intrusion that exposed email and SharePoint files containing names, Social Security numbers, dates of birth, diagnoses, lab results, medications, treatment information, and health insurance details for 17,250 cancer patients. Filed with HHS OCR on June 27, 2025. Multiple class-action investigations underway.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 13, 2024
Unauthorized access to email and SharePoint accounts begins via phishing
Dec 16, 2024
Unauthorized access window closes
Jun 13, 2025
cCARE – High Desert becomes aware that unauthorized parties accessed email and SharePoint accounts
Jun 27, 2025
HIPAA breach notification filed with HHS Office for Civil Rights and California Attorney General
Jul 14, 2025
Plaintiffs' firms publicly open class-action investigations (Strauss Borrelli, Federman & Sherwood, others)
Dec 13, 2024
Unauthorized access to email and SharePoint accounts begins via phishing
Dec 16, 2024
Unauthorized access window closes
Jun 13, 2025
cCARE – High Desert becomes aware that unauthorized parties accessed email and SharePoint accounts
Jun 27, 2025
HIPAA breach notification filed with HHS Office for Civil Rights and California Attorney General
Jul 14, 2025
Plaintiffs' firms publicly open class-action investigations (Strauss Borrelli, Federman & Sherwood, others)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
California Cancer Associates for Research and Excellence – High Desert (cCARE – High Desert), the Victorville oncology clinic that is part of the Integrated Oncology Network (ION), filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 27, 2025, reporting 17,250 affected individuals in a hacking/IT incident that compromised data on a network server. Plaintiffs’ firms have publicly opened class-action investigations. Companion filings on the same date covered cCARE Fresno (7,670 patients) and cCARE San Diego (638 patients).
The root cause was a phishing attack in December 2024 that gave an external actor access to a limited number of employee email mailboxes and SharePoint files. Because those files included clinical content (diagnoses, lab results, medications, treatment information), this breach exposes cancer patients to a higher-than-baseline risk of targeted scams and medical identity theft. Detection took roughly six months from the date of access.
Timeline
- December 13, 2024 — Unauthorized parties gain access to a limited number of cCARE / ION employee email and SharePoint accounts via a phishing scheme.
- December 16, 2024 — Unauthorized access window closes (per Federman & Sherwood and Strauss Borrelli investigative summaries).
- June 13, 2025 — cCARE – High Desert becomes aware of the unauthorized access following an internal review and forensic investigation.
- June 27, 2025 — HIPAA breach notification filed with HHS OCR (17,250 individuals) and disclosure made to the California Attorney General. Paired entries filed the same day for cCARE Fresno (7,670) and cCARE San Diego (638).
- July 14–18, 2025 — Plaintiffs’ law firms (Strauss Borrelli PLLC, Federman & Sherwood, Schubert Jonckheer & Kolbe, Console & Associates, The Lyon Firm) publicly open class-action investigations.
What was exposed
Per investigative summaries from Strauss Borrelli, Federman & Sherwood, and the law firms tracking the related Integrated Oncology Network filing, the compromised email mailboxes and SharePoint folders contained patient records including:
- Names, addresses, and dates of birth
- Social Security numbers
- Financial account information
- Health insurance and claims information
- Provider names
- Clinical data: diagnoses (including cancer diagnoses), lab results, medications, treatment information, and treatment dates
In the OCR portal the breach is categorized as a hacking/IT incident with location of breached PHI listed as Network Server, consistent with the SharePoint document-store exposure reported by counsel.
Why this breach is sensitive — oncology context
Most healthcare breaches expose generic PHI. This one is different. Because cCARE – High Desert is an oncology practice, the exposed treatment records can reveal:
- The fact of a cancer diagnosis. By itself a sensitive health attribute that can affect insurance underwriting, employment relationships, and personal relationships if exposed.
- Specific cancer types, staging language in lab and pathology results, and treatment regimens including chemotherapy and radiation protocols. In many cases these identify the cancer with high specificity.
- In some patient files, results of genetic testing common in modern oncology workups (BRCA, Lynch syndrome, somatic tumor panels). Genetic information is statutorily sensitive under California’s Genetic Information Privacy Act and federally under GINA, and disclosure can affect biological relatives who never consented to the testing.
The combination of name plus Social Security number plus cancer diagnosis is unusually attractive to fraudsters running medical-identity-theft schemes and to bad-faith actors targeting cancer patients with treatment-themed phishing.
What cCARE is offering
Per Federman & Sherwood and the law-firm investigative posts, cCARE – High Desert is offering complimentary credit monitoring and identity-theft protection services through Epiq Privacy Solutions. Enrollment instructions are included in the individual notification letters mailed beginning in July 2025. The specific duration of the monitoring offer (commonly 12 or 24 months for incidents of this severity) is not detailed in the public investigative summaries reviewed.
cCARE has stated that affected individuals are being notified by mail and that the entity has implemented additional safeguards on email and SharePoint access.
Class-action and regulatory posture
As of this writing, multiple plaintiffs’ firms have publicly opened investigations of the cCARE / Integrated Oncology Network incident but no consolidated class action has been independently confirmed in the public docket in connection with the High Desert filing specifically. Firms publicly soliciting affected individuals include:
- Strauss Borrelli PLLC (Samuel J. Strauss leading)
- Federman & Sherwood
- Schubert Jonckheer & Kolbe LLP
- Console & Associates, P.C.
- The Lyon Firm
The HHS OCR portal entry remains open (not closed). Because ION serves as the IT-services parent for cCARE and the same phishing attack affected related entities (cCARE Fresno, cCARE San Diego, and roughly 25 ION-affiliated practices reported separately), a consolidated multi-entity class action is plausible but had not been filed at the time of this update.
What to do if you may be affected
If you received an oncology service at cCARE – High Desert in Victorville (or any cCARE location served by ION), assume you are within the affected population until your individual letter confirms otherwise.
- Enroll in the Epiq Privacy Solutions credit-monitoring offer through the activation code in your notification letter. The enrollment code is single-use; do not let the deadline lapse.
- Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers were among the data exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible at any time.
- Review your Explanation of Benefits statements from your health insurer for unfamiliar claims, particularly oncology-related billing that does not match services you received. Medical identity theft is the most consequential risk profile for this specific incident.
- Be skeptical of unsolicited contact that references your cancer treatment. With names paired to specific diagnoses and treatment dates, follow-on scams are easier to make convincing. Verify anything that claims to come from cCARE, your oncologist, or your insurer by calling a number you already have on file.
- Consider an IRS identity-protection PIN. With Social Security numbers in the wild, the IRS IP PIN is a strong defense against tax-refund fraud.
- If genetic testing was part of your care, ask cCARE in writing whether your genetic results were among the documents exposed. Genetic information has its own protected status under California GIPA, and a written confirmation is worth keeping.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record of the June 27, 2025 filing (17,250 affected; hacking/IT incident; network server).
- Strauss Borrelli PLLC — cCARE – High Desert Data Breach Investigation — confirms 17,200+ affected, June 27, 2025 OCR filing, Victorville location.
- Federman & Sherwood — cCARE – High Desert Investigation — confirms December 13–16, 2024 access window, June 13, 2025 discovery, Epiq Privacy Solutions credit monitoring.
- PR Newswire — Privacy Alert: cCARE Under Investigation — confirms exposed data elements including diagnoses, lab results, medications, treatment information, and SSNs.
- calHIPAA — Healthcare Data Breach Report for June 2025 — confirms the 17,250 figure and Integrated Oncology Network business-associate context.
- ClassAction.org — Integrated Oncology Network / cCARE Data Breach Investigation — class-action investigation status.
- cCARE — High Desert Cancer Center location page — confirms organizational identity and Victorville location.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Strauss Borrelli PLLC — cCARE – High Desert Data Breach Investigation
- Federman & Sherwood — cCARE – High Desert Investigation
- PR Newswire — Privacy Alert: cCARE Under Investigation for Data Breach of Patient Records
- calHIPAA — Healthcare Data Breach Report for June 2025
- ClassAction.org — Integrated Oncology Network / cCARE Data Breach Lawsuit Investigation
- cCARE — High Desert Cancer Center location page
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.