California Cancer Associates for Research and Excellence – San Diego Data Breach 2025: 638 Oncology Patients Exposed in ION Phishing Attack
cCARE – San Diego, the San Diego oncology practice in the Integrated Oncology Network, reported a December 13–16, 2024 phishing intrusion that exposed ION email and SharePoint files containing names, Social Security numbers, dates of birth, diagnoses, lab results, medications, treatment information, and health insurance details for 638 cancer patients. Filed with HHS OCR on June 27, 2025. Companion to the High Desert (17,250) and Fresno (7,670) cCARE filings on the same date. Multiple class-action investigations underway.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 13, 2024
Unauthorized access to ION employee email and SharePoint accounts begins via phishing scheme
Dec 16, 2024
Unauthorized access window closes
May 9, 2025
ION investigation determines unauthorized actor accessed email and SharePoint accounts containing cCARE – San Diego patient data
Jun 27, 2025
HIPAA breach notification filed with HHS Office for Civil Rights and California Attorney General; notification letters mailed to affected individuals
Jun 27, 2025
Individual notifications to 638 affected San Diego patients begin
Jul 14, 2025
Plaintiffs' firms publicly open class-action investigations (Strauss Borrelli, Federman & Sherwood, others)
Dec 13, 2024
Unauthorized access to ION employee email and SharePoint accounts begins via phishing scheme
Dec 16, 2024
Unauthorized access window closes
May 9, 2025
ION investigation determines unauthorized actor accessed email and SharePoint accounts containing cCARE – San Diego patient data
Jun 27, 2025
HIPAA breach notification filed with HHS Office for Civil Rights and California Attorney General; notification letters mailed to affected individuals
Jun 27, 2025
Individual notifications to 638 affected San Diego patients begin
Jul 14, 2025
Plaintiffs' firms publicly open class-action investigations (Strauss Borrelli, Federman & Sherwood, others)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
California Cancer Associates for Research and Excellence – San Diego (cCARE – San Diego), an oncology practice that is part of the Integrated Oncology Network (ION), filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 27, 2025, reporting 638 affected individuals in a hacking/IT incident traced to ION’s email and SharePoint environment. The San Diego filing was one of three companion filings made by cCARE entities on the same date; the others covered cCARE – High Desert (17,250 patients) and cCARE – Fresno (7,670 patients). At least two dozen ION-affiliated cancer practices across roughly twelve states reported the same incident on the same date.
The root cause was a phishing attack in December 2024 that gave an external actor access to a limited number of ION employee email mailboxes and SharePoint files containing cCARE patient records. Because those files included clinical content (diagnoses, lab results, medications, treatment information), the breach exposes cancer patients to a higher-than-baseline risk of targeted scams and medical identity theft. ION’s forensic review concluded on May 9, 2025 that patient data was within the compromised accounts.
Timeline
- December 13, 2024 — Unauthorized parties gain access to a limited number of ION employee email and SharePoint accounts via a phishing scheme. The compromised accounts contained cCARE – San Diego patient records.
- December 16, 2024 — Unauthorized access window closes (three-day intrusion).
- May 9, 2025 — ION’s investigation determines an unauthorized actor accessed email and SharePoint accounts containing cCARE – San Diego patient information.
- June 27, 2025 — HIPAA breach notification filed with HHS OCR (638 individuals) and disclosure made to the California Attorney General. Notification letters mailed to affected San Diego patients beginning the same day. Paired entries filed for cCARE – High Desert (17,250) and cCARE – Fresno (7,670).
- July 14, 2025 — Plaintiffs’ law firms (Strauss Borrelli PLLC, Federman & Sherwood, Schubert Jonckheer & Kolbe, Console & Associates, The Lyon Firm) publicly open class-action investigations covering the ION / cCARE incident.
What was exposed
Per the HIPAA Journal summary, the BankInfoSecurity reporting, and law-firm investigative summaries from Strauss Borrelli and Federman & Sherwood, the compromised ION email mailboxes and SharePoint folders contained cCARE – San Diego patient records including:
- Names, addresses, and dates of birth
- Social Security numbers
- Financial account information
- Health insurance and claims information
- Provider names and dates of treatment
- Clinical data: diagnoses (including cancer diagnoses), lab results, medications, and treatment information
The OCR portal entry categorizes the breach as a hacking/IT incident with location of breached PHI listed as Email, consistent with the email-and-SharePoint scope described by counsel and the trade press.
Why this breach is sensitive — oncology context
Most healthcare breaches expose generic PHI. This one is different. Because cCARE – San Diego is an oncology practice, the exposed treatment records can reveal:
- The fact of a cancer diagnosis. By itself a sensitive health attribute that can affect insurance underwriting, employment relationships, and personal relationships if exposed.
- Specific cancer types, staging language in lab and pathology results, and treatment regimens including chemotherapy and radiation protocols. In many cases these identify the cancer with high specificity.
- In some patient files, results of genetic testing common in modern oncology workups (BRCA, Lynch syndrome, somatic tumor panels). Genetic information is statutorily sensitive under California’s Genetic Information Privacy Act and federally under GINA, and disclosure can affect biological relatives who never consented to the testing.
The combination of name plus Social Security number plus cancer diagnosis is unusually attractive to fraudsters running medical-identity-theft schemes and to bad-faith actors targeting cancer patients with treatment-themed phishing. The San Diego cohort is small (638 people) but the risk profile per individual is identical to the larger High Desert and Fresno cohorts.
What cCARE is offering
Per the law-firm investigative posts covering the ION / cCARE incident, affected individuals are being offered complimentary credit monitoring and identity-theft protection services through Epiq Privacy Solutions, with enrollment instructions included in the individual notification letters mailed beginning June 27, 2025. The specific duration of the monitoring offer (commonly 12 or 24 months for incidents of this severity) is not detailed in the public investigative summaries reviewed for the San Diego cohort.
ION has stated that it has implemented additional safeguards on email and SharePoint access following the incident.
Class-action and regulatory posture
As of this writing, multiple plaintiffs’ firms have publicly opened investigations of the ION / cCARE incident, but no consolidated class action has been independently confirmed in the public docket in connection with the San Diego filing specifically. Firms publicly soliciting affected individuals include:
- Strauss Borrelli PLLC (Samuel J. Strauss leading; firm published a dedicated cCARE – San Diego investigation page on July 14, 2025)
- Federman & Sherwood
- Schubert Jonckheer & Kolbe LLP
- Console & Associates, P.C.
- The Lyon Firm
The HHS OCR portal entry remains open (not closed). Because ION is the shared services parent for cCARE and the same phishing attack affected related entities (cCARE – High Desert, cCARE – Fresno, and roughly two dozen other ION-affiliated practices reported separately on June 27, 2025), a consolidated multi-entity class action is plausible but had not been filed at the time of this update.
What to do if you may be affected
If you received an oncology service at cCARE – San Diego (or any cCARE location served by ION), assume you are within the affected population until your individual letter confirms otherwise.
- Enroll in the Epiq Privacy Solutions credit-monitoring offer through the activation code in your notification letter. The enrollment code is single-use; do not let the deadline lapse.
- Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers were among the data exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible at any time.
- Review your Explanation of Benefits statements from your health insurer for unfamiliar claims, particularly oncology-related billing that does not match services you received. Medical identity theft is the most consequential risk profile for this specific incident.
- Be skeptical of unsolicited contact that references your cancer treatment. With names paired to specific diagnoses and treatment dates, follow-on scams are easier to make convincing. Verify anything that claims to come from cCARE, your oncologist, or your insurer by calling a number you already have on file.
- Consider an IRS identity-protection PIN. With Social Security numbers in the wild, the IRS IP PIN is a strong defense against tax-refund fraud.
- If genetic testing was part of your care, ask cCARE in writing whether your genetic results were among the documents exposed. Genetic information has its own protected status under California GIPA, and a written confirmation is worth keeping.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record of the June 27, 2025 filing (638 affected; hacking/IT incident; email location).
- Strauss Borrelli PLLC — cCARE – San Diego Data Breach Investigation — confirms San Diego–specific investigation, June 27, 2025 OCR filing, ION business-associate role.
- HIPAA Journal — Phishing Attack Affects Multiple Cancer Treatment Centers — confirms 638 affected for cCARE – San Diego, December 13–16, 2024 access window, and the full exposed-data inventory including Social Security numbers.
- BankInfoSecurity — Email Hack Affects at Least 24 Cancer Care Practices — confirms the ION-wide scope (24 covered entities, ~123,000 patients) and the May 9, 2025 determination date.
- PR Newswire — Privacy Alert: cCARE Under Investigation — confirms exposed data elements including diagnoses, lab results, medications, treatment information, and SSNs.
- calHIPAA — Healthcare Data Breach Report for June 2025 — confirms the 638 figure and Integrated Oncology Network business-associate context.
- Console & Associates / JD Supra — Integrated Oncology Network Reports Data Breach Affecting cCARE Patients — class-action investigation status and ION administrative-services relationship to cCARE.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Strauss Borrelli PLLC — cCARE – San Diego Data Breach Investigation
- HIPAA Journal — Phishing Attack Affects Multiple Cancer Treatment Centers
- BankInfoSecurity — Email Hack Affects at Least 24 Cancer Care Practices
- PR Newswire — Privacy Alert: cCARE Under Investigation for Data Breach of Patient Records
- calHIPAA — Healthcare Data Breach Report for June 2025
- Console & Associates / JD Supra — Integrated Oncology Network Reports Data Breach Affecting cCARE Patients
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.