Active breach tracker San Diego, CA Disclosed June 27, 2025

California Cancer Associates for Research and Excellence – San Diego Data Breach 2025: 638 Oncology Patients Exposed in ION Phishing Attack

cCARE – San Diego, the San Diego oncology practice in the Integrated Oncology Network, reported a December 13–16, 2024 phishing intrusion that exposed ION email and SharePoint files containing names, Social Security numbers, dates of birth, diagnoses, lab results, medications, treatment information, and health insurance details for 638 cancer patients. Filed with HHS OCR on June 27, 2025. Companion to the High Desert (17,250) and Fresno (7,670) cCARE filings on the same date. Multiple class-action investigations underway.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 13, 2024

Unauthorized access to ION employee email and SharePoint accounts begins via phishing scheme

Dec 16, 2024

Unauthorized access window closes

May 9, 2025

ION investigation determines unauthorized actor accessed email and SharePoint accounts containing cCARE – San Diego patient data

Jun 27, 2025

HIPAA breach notification filed with HHS Office for Civil Rights and California Attorney General; notification letters mailed to affected individuals

Jun 27, 2025

Individual notifications to 638 affected San Diego patients begin

Jul 14, 2025

Plaintiffs' firms publicly open class-action investigations (Strauss Borrelli, Federman & Sherwood, others)

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers

02

Health records

Don't expire and can't be reissued

Diagnoses (including cancer diagnoses) Lab results Medications Treatment information and dates of treatment

03

Contact & insurance

Phishing + targeted scams

Names Addresses Dates of birth Financial account information Health insurance and claims information Provider names

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC Federman & Sherwood Schubert Jonckheer & Kolbe LLP Console & Associates, P.C. The Lyon Firm
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

California Cancer Associates for Research and Excellence – San Diego (cCARE – San Diego), an oncology practice that is part of the Integrated Oncology Network (ION), filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 27, 2025, reporting 638 affected individuals in a hacking/IT incident traced to ION’s email and SharePoint environment. The San Diego filing was one of three companion filings made by cCARE entities on the same date; the others covered cCARE – High Desert (17,250 patients) and cCARE – Fresno (7,670 patients). At least two dozen ION-affiliated cancer practices across roughly twelve states reported the same incident on the same date.

The root cause was a phishing attack in December 2024 that gave an external actor access to a limited number of ION employee email mailboxes and SharePoint files containing cCARE patient records. Because those files included clinical content (diagnoses, lab results, medications, treatment information), the breach exposes cancer patients to a higher-than-baseline risk of targeted scams and medical identity theft. ION’s forensic review concluded on May 9, 2025 that patient data was within the compromised accounts.

Timeline

  • December 13, 2024 — Unauthorized parties gain access to a limited number of ION employee email and SharePoint accounts via a phishing scheme. The compromised accounts contained cCARE – San Diego patient records.
  • December 16, 2024 — Unauthorized access window closes (three-day intrusion).
  • May 9, 2025 — ION’s investigation determines an unauthorized actor accessed email and SharePoint accounts containing cCARE – San Diego patient information.
  • June 27, 2025 — HIPAA breach notification filed with HHS OCR (638 individuals) and disclosure made to the California Attorney General. Notification letters mailed to affected San Diego patients beginning the same day. Paired entries filed for cCARE – High Desert (17,250) and cCARE – Fresno (7,670).
  • July 14, 2025 — Plaintiffs’ law firms (Strauss Borrelli PLLC, Federman & Sherwood, Schubert Jonckheer & Kolbe, Console & Associates, The Lyon Firm) publicly open class-action investigations covering the ION / cCARE incident.

What was exposed

Per the HIPAA Journal summary, the BankInfoSecurity reporting, and law-firm investigative summaries from Strauss Borrelli and Federman & Sherwood, the compromised ION email mailboxes and SharePoint folders contained cCARE – San Diego patient records including:

  • Names, addresses, and dates of birth
  • Social Security numbers
  • Financial account information
  • Health insurance and claims information
  • Provider names and dates of treatment
  • Clinical data: diagnoses (including cancer diagnoses), lab results, medications, and treatment information

The OCR portal entry categorizes the breach as a hacking/IT incident with location of breached PHI listed as Email, consistent with the email-and-SharePoint scope described by counsel and the trade press.

Why this breach is sensitive — oncology context

Most healthcare breaches expose generic PHI. This one is different. Because cCARE – San Diego is an oncology practice, the exposed treatment records can reveal:

  • The fact of a cancer diagnosis. By itself a sensitive health attribute that can affect insurance underwriting, employment relationships, and personal relationships if exposed.
  • Specific cancer types, staging language in lab and pathology results, and treatment regimens including chemotherapy and radiation protocols. In many cases these identify the cancer with high specificity.
  • In some patient files, results of genetic testing common in modern oncology workups (BRCA, Lynch syndrome, somatic tumor panels). Genetic information is statutorily sensitive under California’s Genetic Information Privacy Act and federally under GINA, and disclosure can affect biological relatives who never consented to the testing.

The combination of name plus Social Security number plus cancer diagnosis is unusually attractive to fraudsters running medical-identity-theft schemes and to bad-faith actors targeting cancer patients with treatment-themed phishing. The San Diego cohort is small (638 people) but the risk profile per individual is identical to the larger High Desert and Fresno cohorts.

What cCARE is offering

Per the law-firm investigative posts covering the ION / cCARE incident, affected individuals are being offered complimentary credit monitoring and identity-theft protection services through Epiq Privacy Solutions, with enrollment instructions included in the individual notification letters mailed beginning June 27, 2025. The specific duration of the monitoring offer (commonly 12 or 24 months for incidents of this severity) is not detailed in the public investigative summaries reviewed for the San Diego cohort.

ION has stated that it has implemented additional safeguards on email and SharePoint access following the incident.

Class-action and regulatory posture

As of this writing, multiple plaintiffs’ firms have publicly opened investigations of the ION / cCARE incident, but no consolidated class action has been independently confirmed in the public docket in connection with the San Diego filing specifically. Firms publicly soliciting affected individuals include:

  • Strauss Borrelli PLLC (Samuel J. Strauss leading; firm published a dedicated cCARE – San Diego investigation page on July 14, 2025)
  • Federman & Sherwood
  • Schubert Jonckheer & Kolbe LLP
  • Console & Associates, P.C.
  • The Lyon Firm

The HHS OCR portal entry remains open (not closed). Because ION is the shared services parent for cCARE and the same phishing attack affected related entities (cCARE – High Desert, cCARE – Fresno, and roughly two dozen other ION-affiliated practices reported separately on June 27, 2025), a consolidated multi-entity class action is plausible but had not been filed at the time of this update.

What to do if you may be affected

If you received an oncology service at cCARE – San Diego (or any cCARE location served by ION), assume you are within the affected population until your individual letter confirms otherwise.

  • Enroll in the Epiq Privacy Solutions credit-monitoring offer through the activation code in your notification letter. The enrollment code is single-use; do not let the deadline lapse.
  • Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers were among the data exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible at any time.
  • Review your Explanation of Benefits statements from your health insurer for unfamiliar claims, particularly oncology-related billing that does not match services you received. Medical identity theft is the most consequential risk profile for this specific incident.
  • Be skeptical of unsolicited contact that references your cancer treatment. With names paired to specific diagnoses and treatment dates, follow-on scams are easier to make convincing. Verify anything that claims to come from cCARE, your oncologist, or your insurer by calling a number you already have on file.
  • Consider an IRS identity-protection PIN. With Social Security numbers in the wild, the IRS IP PIN is a strong defense against tax-refund fraud.
  • If genetic testing was part of your care, ask cCARE in writing whether your genetic results were among the documents exposed. Genetic information has its own protected status under California GIPA, and a written confirmation is worth keeping.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.