CityHealth Data Breach 2026: 65,000 California Patients Exposed via Former Business Counterparty. EMR Re-Accessed by Ex-Vendor. What To Do
CityHealth, a San Leandro and Oakland urgent-care and dermatology medical corporation, disclosed in May 2026 that a former business counterparty re-entered its DrChrono EMR platform after their authorized access had been terminated. 65,000 patients exposed. No SSN or financial data in scope per the company notice. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Mar 2, 2026
First unauthorized access event
Mar 11, 2026
Second unauthorized access event
Mar 30, 2026
CityHealth discovers the incident
Apr 14, 2026
Disclosed to California AG and HHS
Apr 30, 2026
OCR submission posted
May 8, 2026
Public notice posted to cityhealth.com
Mar 2, 2026
First unauthorized access event
Mar 11, 2026
Second unauthorized access event
Mar 30, 2026
CityHealth discovers the incident
Apr 14, 2026
Disclosed to California AG and HHS
Apr 30, 2026
OCR submission posted
May 8, 2026
Public notice posted to cityhealth.com
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
CityHealth is a Latina- and woman-owned urgent care and dermatology medical corporation operating two clinics in the East Bay: San Leandro (201 Dolores Avenue, San Leandro, CA 94577) and Montclair Village, Oakland. CityHealth is an affiliate of BASS Medical Group. The clinics use the DrChrono electronic medical record platform (now part of EverHealth).
On March 2 and March 11, 2026, an unauthorized actor accessed CityHealth’s DrChrono EMR. The actor was identified as a former business counterparty whose previously-authorized access had been terminated; they re-entered the EMR using credentials tied to a separate third-party account, not credentials issued by CityHealth. This is closer to insider / ex-vendor credential abuse than an external ransomware intrusion. No ransomware group claimed responsibility; no leak-site listing has been identified.
CityHealth discovered the incident on March 30, 2026, immediately revoked the access, engaged forensics, and disclosed to the California Attorney General and HHS Office for Civil Rights on April 14, 2026. The OCR portal entry was posted on April 30, 2026 (65,000 affected). A public notice was posted to cityhealth.com/notice/ on May 8, 2026.
What was stolen
The company’s notice lists the affected data as:
- Full name
- Home address
- Date of birth
- Contact information
- Demographic information
- Health insurance information
- Medical treatment / procedure information
- Internal billing / financial data
The notice explicitly does not include Social Security numbers, full financial account numbers, or payment card numbers. Treatment information from an urgent-care and dermatology context is the primary sensitive element here.
What CityHealth is offering
No complimentary credit monitoring or identity-theft protection services were offered, citing the limited scope (no SSN, no financial account credentials). The notice directs affected individuals to monitoring and self-help resources. This is defensible given the dataset, but is uncommon for a 65,000-record HIPAA breach and may be a point of contention if class actions are filed.
- Call center: 800-283-0817
- Privacy email: [email protected]
- 90-day support window from notice date
What to do
- Be alert to phishing that references your CityHealth visits — appointment specifics, location, or treatment context. The exposed dataset gives the ex-counterparty enough information for highly targeted scam outreach.
- Review your Explanation of Benefits statements for unfamiliar urgent-care or dermatology claims.
- If you have used DrChrono via other providers, change passwords on the DrChrono patient portal as a precaution.
- Stop the ongoing flow of your treatment data. HealthConsent files HIPAA restriction requests and California-specific CMIA restriction requests so the urgent-care and dermatology treatment data exposed in this breach is not continuously re-shared by downstream entities.
Frequently asked questions
Who was the “former business counterparty”?
CityHealth has not publicly named the individual or entity. The notice describes only that the access was through a “third-party account” not issued by CityHealth itself.
Should I sue?
No class action complaint has been filed as of mid-May 2026. The notice is only a week old. The absence of complimentary credit monitoring plus the size of the affected class may attract plaintiffs’ firms in coming weeks.
Is HealthConsent affiliated with CityHealth?
No. HealthConsent is an independent health-data privacy service.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- CityHealth: Notice of Data Security Incident
- CityHealth Homepage
- CityHealth Locations
- California Attorney General: Data Breach List
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.