Cerenade Data Breach 2025: 987 Affected · Akira Ransomware · CA. Filed With HHS OCR. What To Do.
Cerenade, a California-based cloud case management software vendor, was breached by the Akira ransomware group on October 2-3, 2025. The HHS OCR portal lists 987 affected individuals in a Hacking/IT Incident at Network Server. Cerenade disclosed to the California Attorney General on January 2, 2026 and is offering one year of IDX identity-theft protection.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 2, 2025
Related event
Oct 3, 2025
Related event
Oct 8, 2025
Related event
Oct 9, 2025
Related event
Nov 30, 2025
Related event
Nov 30, 2025
Disclosed publicly
Dec 4, 2025
Related event
Jan 2, 2026
Related event
Jan 6, 2026
Related event
Oct 2, 2025
Related event
Oct 3, 2025
Related event
Oct 8, 2025
Related event
Oct 9, 2025
Related event
Nov 30, 2025
Related event
Nov 30, 2025
Disclosed publicly
Dec 4, 2025
Related event
Jan 2, 2026
Related event
Jan 6, 2026
Related event
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Cerenade, an Inglewood, California-based provider of cloud case-management software (best known for its eIMMIGRATION platform used by immigration law firms and legal-aid organizations), was breached by the Akira ransomware group between October 2 and October 3, 2025. As a HIPAA Business Associate, Cerenade filed a breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on November 30, 2025, reporting 987 affected individuals in a Hacking/IT Incident at Network Server. Cerenade subsequently disclosed the incident to the California Attorney General on January 2, 2026 and is offering one year of IDX identity-theft protection to affected individuals.
Timeline
- October 2, 2025 — Akira ransomware operators accessed Cerenade’s network and began exfiltrating data.
- October 3, 2025 — Cerenade contained the immediate intrusion. Akira would later allege roughly 100 GB of data was taken before containment.
- October 8, 2025 — Akira publicly claimed responsibility on its dark-web leak site.
- October 9, 2025 — Cerenade began notifying downstream customers (the law firms and legal-aid organizations that use its platform) of the breach.
- November 30, 2025 — Cerenade filed with the HHS Office for Civil Rights as a Business Associate, reporting 987 affected individuals.
- December 4, 2025 — Downstream customers (for example, Jewish Family & Community Services East Bay) mailed their own notification letters to affected clients, referencing the Cerenade incident.
- January 2, 2026 — Cerenade submitted a sample breach notification to the California Attorney General, formally triggering public disclosure under California law.
- January 6, 2026 — Lynch Carpenter LLP publicly announced a class-action investigation; multiple other plaintiffs’ firms opened parallel investigations.
What information was exposed
According to Cerenade’s notification materials and downstream customer letters filed with the California Attorney General, the categories of information involved in this incident include:
- Names
- Dates of birth
- Social Security numbers
- Passport numbers
- Documents related to immigration case filings (which, depending on the file, can include addresses, driver’s license numbers, financial information, and limited medical information)
Because Cerenade is a Business Associate for HIPAA-covered entities and a vendor to immigration law firms, the records involved skew toward identity documents and case-file scans rather than clinical records.
What Cerenade is offering
Cerenade’s notification materials direct affected individuals to enroll in one year of complimentary IDX identity-theft protection services. Enrollment instructions and an activation code are included in the individual notification letter mailed to each affected person. Affected individuals will receive a letter directly from Cerenade with their enrollment details.
Class-action posture
As of May 16, 2026, no class-action complaint has been confirmed as filed against Cerenade in a court of record. The following plaintiffs’ firms have publicly opened investigations and are soliciting claimants:
- Lynch Carpenter LLP
- The Lyon Firm
- Srourian Law Firm (SLFLA)
- Strauss Borrelli PLLC
- Shamis & Gentile P.A.
Investigations of this size typically precede the filing of one or more consolidated complaints in California state or federal court. We will update this page if and when a complaint is docketed.
What to do if you may be affected
- Enroll in the IDX credit monitoring Cerenade is offering. Even if you have other monitoring, this is free, in addition to what you have, and tied specifically to the records involved here.
- Freeze your credit with the three nationwide consumer reporting agencies. Because Social Security numbers were involved, this is the highest-leverage step against new-account identity theft. It is free, takes about ten minutes per bureau, and does not affect your credit score.
- Watch for IRS and immigration-related fraud. Passport numbers and SSNs together can be misused for tax-refund fraud and for forged identity documents. Consider filing an IRS Identity Protection PIN.
- Read the letter carefully. Your individual notification letter lists the specific data elements involved for your file and the IDX enrollment code. Letters may arrive from Cerenade directly, from the law firm or legal-aid organization that used Cerenade on your behalf, or both.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- California Attorney General — Cerenade submitted breach notification sample — California’s public-record entry.
- Cerenade adult notification letter (PDF, CA AG) — the sample letter Cerenade filed with the California Attorney General.
- JFCS East Bay downstream notification letter (PDF, CA AG) — example of a downstream-customer notification referencing Cerenade.
- DeXpose — Akira ransomware targets Cerenade Technology — threat-intelligence summary of Akira’s leak-site claim.
- GlobeNewswire — Lynch Carpenter LLP investigation announcement — January 6, 2026 announcement of class-action investigation.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- California AG — Cerenade submitted breach notification sample
- California AG — Cerenade adult notification letter (PDF)
- California AG — JFCS East Bay downstream notification letter (PDF)
- DeXpose — Akira ransomware targets Cerenade
- GlobeNewswire — Lynch Carpenter LLP investigation announcement
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.