Active breach tracker CA Disclosed November 30, 2025

Cerenade Data Breach 2025: 987 Affected · Akira Ransomware · CA. Filed With HHS OCR. What To Do.

Cerenade, a California-based cloud case management software vendor, was breached by the Akira ransomware group on October 2-3, 2025. The HHS OCR portal lists 987 affected individuals in a Hacking/IT Incident at Network Server. Cerenade disclosed to the California Attorney General on January 2, 2026 and is offering one year of IDX identity-theft protection.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 2, 2025

Related event

Oct 3, 2025

Related event

Oct 8, 2025

Related event

Oct 9, 2025

Related event

Nov 30, 2025

Related event

Nov 30, 2025

Disclosed publicly

Dec 4, 2025

Related event

Jan 2, 2026

Related event

Jan 6, 2026

Related event

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers Passport numbers

03

Contact & insurance

Phishing + targeted scams

Names Dates of birth Immigration case filing documents
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Cerenade, an Inglewood, California-based provider of cloud case-management software (best known for its eIMMIGRATION platform used by immigration law firms and legal-aid organizations), was breached by the Akira ransomware group between October 2 and October 3, 2025. As a HIPAA Business Associate, Cerenade filed a breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on November 30, 2025, reporting 987 affected individuals in a Hacking/IT Incident at Network Server. Cerenade subsequently disclosed the incident to the California Attorney General on January 2, 2026 and is offering one year of IDX identity-theft protection to affected individuals.

Timeline

  • October 2, 2025 — Akira ransomware operators accessed Cerenade’s network and began exfiltrating data.
  • October 3, 2025 — Cerenade contained the immediate intrusion. Akira would later allege roughly 100 GB of data was taken before containment.
  • October 8, 2025 — Akira publicly claimed responsibility on its dark-web leak site.
  • October 9, 2025 — Cerenade began notifying downstream customers (the law firms and legal-aid organizations that use its platform) of the breach.
  • November 30, 2025 — Cerenade filed with the HHS Office for Civil Rights as a Business Associate, reporting 987 affected individuals.
  • December 4, 2025 — Downstream customers (for example, Jewish Family & Community Services East Bay) mailed their own notification letters to affected clients, referencing the Cerenade incident.
  • January 2, 2026 — Cerenade submitted a sample breach notification to the California Attorney General, formally triggering public disclosure under California law.
  • January 6, 2026 — Lynch Carpenter LLP publicly announced a class-action investigation; multiple other plaintiffs’ firms opened parallel investigations.

What information was exposed

According to Cerenade’s notification materials and downstream customer letters filed with the California Attorney General, the categories of information involved in this incident include:

  • Names
  • Dates of birth
  • Social Security numbers
  • Passport numbers
  • Documents related to immigration case filings (which, depending on the file, can include addresses, driver’s license numbers, financial information, and limited medical information)

Because Cerenade is a Business Associate for HIPAA-covered entities and a vendor to immigration law firms, the records involved skew toward identity documents and case-file scans rather than clinical records.

What Cerenade is offering

Cerenade’s notification materials direct affected individuals to enroll in one year of complimentary IDX identity-theft protection services. Enrollment instructions and an activation code are included in the individual notification letter mailed to each affected person. Affected individuals will receive a letter directly from Cerenade with their enrollment details.

Class-action posture

As of May 16, 2026, no class-action complaint has been confirmed as filed against Cerenade in a court of record. The following plaintiffs’ firms have publicly opened investigations and are soliciting claimants:

  • Lynch Carpenter LLP
  • The Lyon Firm
  • Srourian Law Firm (SLFLA)
  • Strauss Borrelli PLLC
  • Shamis & Gentile P.A.

Investigations of this size typically precede the filing of one or more consolidated complaints in California state or federal court. We will update this page if and when a complaint is docketed.

What to do if you may be affected

  • Enroll in the IDX credit monitoring Cerenade is offering. Even if you have other monitoring, this is free, in addition to what you have, and tied specifically to the records involved here.
  • Freeze your credit with the three nationwide consumer reporting agencies. Because Social Security numbers were involved, this is the highest-leverage step against new-account identity theft. It is free, takes about ten minutes per bureau, and does not affect your credit score.
  • Watch for IRS and immigration-related fraud. Passport numbers and SSNs together can be misused for tax-refund fraud and for forged identity documents. Consider filing an IRS Identity Protection PIN.
  • Read the letter carefully. Your individual notification letter lists the specific data elements involved for your file and the IDX enrollment code. Letters may arrive from Cerenade directly, from the law firm or legal-aid organization that used Cerenade on your behalf, or both.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.