Active breach tracker Stockton, California Disclosed April 2, 2025

Dameron Hospital Data Breach (2023 RansomHouse Ransomware): 210,706 Affected, Notified April 2025, $650K Settlement

Stockton, California community hospital Dameron Hospital was hit by a RansomHouse ransomware attack on November 4-5, 2023, with roughly 480 GB exfiltrated. The hospital did not determine PHI was involved until March 21, 2025, and began notifying 210,706 individuals on April 2, 2025. A $650,000 class-action settlement was reached and a final approval hearing was held May 29, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 4, 2023

Unauthorized access begins to Dameron Hospital network

Nov 5, 2023

Intrusion detected; hospital enters downtime procedures

Jan 15, 2024

Carmona v. Dameron Hospital Association filed in San Joaquin County Superior Court (Case No. STK-CV-UPI-2024-527)

Dec 12, 2024

Preliminary approval of $650,000 class-action settlement

Mar 21, 2025

Forensic review concludes exfiltrated files may contain personal and protected health information

Apr 2, 2025

Individual notification letters issued; HHS OCR filing submitted (210,706 affected); California AG notified

Apr 2, 2025

Disclosed publicly

Apr 3, 2025

California AG and Texas AG receive breach notice filings; Massachusetts AG notified April 2

Apr 22, 2025

Settlement claim-submission deadline

May 29, 2025

Final approval hearing, San Joaquin County Superior Court, Dept. 11B

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license, state ID, and other government identification numbers

03

Contact & insurance

Phishing + targeted scams

Full name Credit and debit card / payment information Health insurance information Medical information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Milberg Coleman Bryson Phillips Grossman PLLC (John J. Nelson) Kopelowitz Ostrow P.A. (Kristen Lake Cardoso)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Dameron Hospital is a nonprofit community hospital with more than 200 beds located at 525 Acacia Street in Stockton, California, serving San Joaquin County. As of December 2024, American Advanced Management (AAM), based in Modesto, California, owns the hospital, having taken over from Adventist Health.

On November 4-5, 2023, RansomHouse breached Dameron’s network, claiming roughly 480 GB of exfiltrated data on its dark-web leak site. The group operates as a double-extortion outfit: encrypting systems and publishing stolen data if ransom is not paid. KCRA 3 Sacramento reported the initial attack in November 2023, when the hospital confirmed “a data security incident that has impacted certain systems on our network” and noted that some patient procedures were rescheduled during the downtime period. BankInfoSecurity (ISMG) confirmed RansomHouse’s claim and reported the group boasted the exfiltrated data was at least partially disclosed on its dark-web site.

What followed was an unusually prolonged investigation. Dameron did not conclude that the exfiltrated files may have contained personal and protected health information until March 21, 2025, roughly 16 months after the intrusion. On April 2, 2025, the hospital mailed individual notification letters and filed the breach with HHS OCR, reporting 210,706 affected individuals. Dameron also filed breach notices with at least 13 state attorneys general, including California (April 3), Massachusetts (April 2), Texas (April 3), Vermont, Iowa, Maine, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, and Washington. The 16-month gap between the November 2023 intrusion and April 2025 notifications exceeded HIPAA’s 60-day notification window by approximately nine months, a regulatory exposure point flagged by HIPAA Journal and DataBreaches.net.

What was stolen

According to Dameron’s official notification letter, the data elements potentially exposed vary by individual and may include:

  • Full name and date of birth
  • Social Security number
  • Driver’s license, state ID, and other government identification numbers
  • Credit and debit card and other payment / account information
  • Health insurance information
  • Medical information

The hospital’s notice confirms that individuals whose Social Security numbers were in the impacted files received a specific credit monitoring offer (see below). RansomHouse’s operational pattern is data-theft extortion rather than encryption alone, and the group posted Dameron on its leak site, meaning the exfiltrated data was staged for public release and may remain accessible.

What Dameron is offering

Dameron’s breach notification letter offered Experian IdentityWorks Credit 3B to individuals whose Social Security numbers were among the impacted files. This product provides three-bureau credit monitoring (Experian, Equifax, TransUnion), an Experian credit report at signup, Experian IdentityWorks ExtendCARE (identity restoration support after the membership period ends), and up to $1 million in identity theft insurance. The letter directed recipients to call 855-285-9857, Monday through Friday, 6 a.m. to 6 p.m. Pacific Time, excluding holidays, for questions or to determine if they were affected.

Under the class-action settlement, eligible class members could choose one of the following before the April 22, 2025 claim deadline:

  • Up to $5,000 reimbursement for documented unreimbursed losses tied to the breach, plus 12 months of three-bureau credit monitoring.
  • A flat alternative cash payment of $50 (non-California residents) or $100 (California residents), in lieu of credit monitoring.

The settlement is capped at $650,000. Attorneys’ fees are capped at $216,645 plus expenses, and the named plaintiff received a $2,500 service award. Kroll Settlement Administration LLC administered the settlement. The settlement website is DameronHospitalSettlement.com and the toll-free claims line is 833-876-1201. Dameron denies any wrongdoing or liability.

Class actions

The consolidated case is Carmona v. Dameron Hospital Association d/b/a Dameron Hospital, San Joaquin County Superior Court, Case No. STK-CV-UPI-2024-527. The named plaintiff is Karima Carmona, a former Dameron lab technician and patient. The complaint, filed January 15, 2024 (well before any individual notifications were issued), alleged violation of the California Confidentiality of Medical Information Act (CMIA), California Unfair Competition Law, California Consumers Legal Remedies Act, California Consumer Privacy Act, and California Consumer Records Act.

Plaintiff counsel of record: John J. Nelson of Milberg Coleman Bryson Phillips Grossman PLLC (Beverly Hills) and Kristen Lake Cardoso of Kopelowitz Ostrow P.A. (Florida). The court granted preliminary approval on December 12, 2024. The final approval hearing was held May 29, 2025 at 9:00 a.m. in Department 11B of the San Joaquin County Superior Court, 180 E Weber Ave., Stockton, CA 95202. No public record of final approval denial has been found; confirmation of a final approval order has not been independently sourced as of this writing.

The class-action filing predating individual notifications by over a year, and the CMIA claims, are notable: California’s Confidentiality of Medical Information Act provides stronger private remedies than HIPAA for California residents whose medical information was disclosed without authorization.

What to do

If you received a notification letter from Dameron Hospital or believe you were a patient during 2023:

  1. Freeze your credit at Equifax, Experian, and TransUnion. This is free and prevents new accounts from being opened in your name. With SSNs and government IDs in scope, a freeze is the highest-leverage protective step.
  2. Activate the Experian IdentityWorks offer if you received it in your notification letter and have not yet done so. If your claim deadline has passed, contact Experian directly at 1-888-397-3742 for paid enrollment options.
  3. File IRS Form 14039 (Identity Theft Affidavit) if you are concerned about fraudulent tax returns. The IRS Identity Protection PIN program (irs.gov/identity-theft-central) adds a layer of protection.
  4. Watch for medical-identity misuse. Review Explanation of Benefits (EOB) statements from every insurer. Request your medical record summary if you notice treatment or prescriptions you did not receive.
  5. Be alert for targeted phishing referencing Dameron, “American Advanced Management,” or the settlement. Verify any contact through official channels (855-285-9857 for the hospital; 833-876-1201 for the settlement) rather than clicking links in unsolicited messages.
  6. California residents: The CMIA gives you stronger private remedies than HIPAA for unauthorized disclosure of your medical information. Document any harm and consult a privacy attorney if you believe your records were misused.
  7. Keep your notification letter. It documents the specific data elements exposed for you individually and is useful if you later need to dispute fraudulent activity or file a regulatory complaint.

Stop the ongoing flow of your hospital records. HealthConsent files HIPAA restriction requests so the medical and payment information exposed in this breach is not continuously re-shared with insurers, data brokers, and other covered entities.

Continue reading

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.