Dameron Hospital Data Breach (2023 RansomHouse Ransomware): 210,706 Affected, Notified April 2025, $650K Settlement
Stockton, California community hospital Dameron Hospital was hit by a RansomHouse ransomware attack on November 4-5, 2023, with roughly 480 GB exfiltrated. The hospital did not determine PHI was involved until March 21, 2025, and began notifying 210,706 individuals on April 2, 2025. A $650,000 class-action settlement was reached and a final approval hearing was held May 29, 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 4, 2023
Unauthorized access begins to Dameron Hospital network
Nov 5, 2023
Intrusion detected; hospital enters downtime procedures
Jan 15, 2024
Carmona v. Dameron Hospital Association filed in San Joaquin County Superior Court (Case No. STK-CV-UPI-2024-527)
Dec 12, 2024
Preliminary approval of $650,000 class-action settlement
Mar 21, 2025
Forensic review concludes exfiltrated files may contain personal and protected health information
Apr 2, 2025
Individual notification letters issued; HHS OCR filing submitted (210,706 affected); California AG notified
Apr 2, 2025
Disclosed publicly
Apr 3, 2025
California AG and Texas AG receive breach notice filings; Massachusetts AG notified April 2
Apr 22, 2025
Settlement claim-submission deadline
May 29, 2025
Final approval hearing, San Joaquin County Superior Court, Dept. 11B
Nov 4, 2023
Unauthorized access begins to Dameron Hospital network
Nov 5, 2023
Intrusion detected; hospital enters downtime procedures
Jan 15, 2024
Carmona v. Dameron Hospital Association filed in San Joaquin County Superior Court (Case No. STK-CV-UPI-2024-527)
Dec 12, 2024
Preliminary approval of $650,000 class-action settlement
Mar 21, 2025
Forensic review concludes exfiltrated files may contain personal and protected health information
Apr 2, 2025
Individual notification letters issued; HHS OCR filing submitted (210,706 affected); California AG notified
Apr 2, 2025
Disclosed publicly
Apr 3, 2025
California AG and Texas AG receive breach notice filings; Massachusetts AG notified April 2
Apr 22, 2025
Settlement claim-submission deadline
May 29, 2025
Final approval hearing, San Joaquin County Superior Court, Dept. 11B
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Dameron Hospital is a nonprofit community hospital with more than 200 beds located at 525 Acacia Street in Stockton, California, serving San Joaquin County. As of December 2024, American Advanced Management (AAM), based in Modesto, California, owns the hospital, having taken over from Adventist Health.
On November 4-5, 2023, RansomHouse breached Dameron’s network, claiming roughly 480 GB of exfiltrated data on its dark-web leak site. The group operates as a double-extortion outfit: encrypting systems and publishing stolen data if ransom is not paid. KCRA 3 Sacramento reported the initial attack in November 2023, when the hospital confirmed “a data security incident that has impacted certain systems on our network” and noted that some patient procedures were rescheduled during the downtime period. BankInfoSecurity (ISMG) confirmed RansomHouse’s claim and reported the group boasted the exfiltrated data was at least partially disclosed on its dark-web site.
What followed was an unusually prolonged investigation. Dameron did not conclude that the exfiltrated files may have contained personal and protected health information until March 21, 2025, roughly 16 months after the intrusion. On April 2, 2025, the hospital mailed individual notification letters and filed the breach with HHS OCR, reporting 210,706 affected individuals. Dameron also filed breach notices with at least 13 state attorneys general, including California (April 3), Massachusetts (April 2), Texas (April 3), Vermont, Iowa, Maine, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, and Washington. The 16-month gap between the November 2023 intrusion and April 2025 notifications exceeded HIPAA’s 60-day notification window by approximately nine months, a regulatory exposure point flagged by HIPAA Journal and DataBreaches.net.
What was stolen
According to Dameron’s official notification letter, the data elements potentially exposed vary by individual and may include:
- Full name and date of birth
- Social Security number
- Driver’s license, state ID, and other government identification numbers
- Credit and debit card and other payment / account information
- Health insurance information
- Medical information
The hospital’s notice confirms that individuals whose Social Security numbers were in the impacted files received a specific credit monitoring offer (see below). RansomHouse’s operational pattern is data-theft extortion rather than encryption alone, and the group posted Dameron on its leak site, meaning the exfiltrated data was staged for public release and may remain accessible.
What Dameron is offering
Dameron’s breach notification letter offered Experian IdentityWorks Credit 3B to individuals whose Social Security numbers were among the impacted files. This product provides three-bureau credit monitoring (Experian, Equifax, TransUnion), an Experian credit report at signup, Experian IdentityWorks ExtendCARE (identity restoration support after the membership period ends), and up to $1 million in identity theft insurance. The letter directed recipients to call 855-285-9857, Monday through Friday, 6 a.m. to 6 p.m. Pacific Time, excluding holidays, for questions or to determine if they were affected.
Under the class-action settlement, eligible class members could choose one of the following before the April 22, 2025 claim deadline:
- Up to $5,000 reimbursement for documented unreimbursed losses tied to the breach, plus 12 months of three-bureau credit monitoring.
- A flat alternative cash payment of $50 (non-California residents) or $100 (California residents), in lieu of credit monitoring.
The settlement is capped at $650,000. Attorneys’ fees are capped at $216,645 plus expenses, and the named plaintiff received a $2,500 service award. Kroll Settlement Administration LLC administered the settlement. The settlement website is DameronHospitalSettlement.com and the toll-free claims line is 833-876-1201. Dameron denies any wrongdoing or liability.
Class actions
The consolidated case is Carmona v. Dameron Hospital Association d/b/a Dameron Hospital, San Joaquin County Superior Court, Case No. STK-CV-UPI-2024-527. The named plaintiff is Karima Carmona, a former Dameron lab technician and patient. The complaint, filed January 15, 2024 (well before any individual notifications were issued), alleged violation of the California Confidentiality of Medical Information Act (CMIA), California Unfair Competition Law, California Consumers Legal Remedies Act, California Consumer Privacy Act, and California Consumer Records Act.
Plaintiff counsel of record: John J. Nelson of Milberg Coleman Bryson Phillips Grossman PLLC (Beverly Hills) and Kristen Lake Cardoso of Kopelowitz Ostrow P.A. (Florida). The court granted preliminary approval on December 12, 2024. The final approval hearing was held May 29, 2025 at 9:00 a.m. in Department 11B of the San Joaquin County Superior Court, 180 E Weber Ave., Stockton, CA 95202. No public record of final approval denial has been found; confirmation of a final approval order has not been independently sourced as of this writing.
The class-action filing predating individual notifications by over a year, and the CMIA claims, are notable: California’s Confidentiality of Medical Information Act provides stronger private remedies than HIPAA for California residents whose medical information was disclosed without authorization.
What to do
If you received a notification letter from Dameron Hospital or believe you were a patient during 2023:
- Freeze your credit at Equifax, Experian, and TransUnion. This is free and prevents new accounts from being opened in your name. With SSNs and government IDs in scope, a freeze is the highest-leverage protective step.
- Activate the Experian IdentityWorks offer if you received it in your notification letter and have not yet done so. If your claim deadline has passed, contact Experian directly at 1-888-397-3742 for paid enrollment options.
- File IRS Form 14039 (Identity Theft Affidavit) if you are concerned about fraudulent tax returns. The IRS Identity Protection PIN program (irs.gov/identity-theft-central) adds a layer of protection.
- Watch for medical-identity misuse. Review Explanation of Benefits (EOB) statements from every insurer. Request your medical record summary if you notice treatment or prescriptions you did not receive.
- Be alert for targeted phishing referencing Dameron, “American Advanced Management,” or the settlement. Verify any contact through official channels (855-285-9857 for the hospital; 833-876-1201 for the settlement) rather than clicking links in unsolicited messages.
- California residents: The CMIA gives you stronger private remedies than HIPAA for unauthorized disclosure of your medical information. Document any harm and consult a privacy attorney if you believe your records were misused.
- Keep your notification letter. It documents the specific data elements exposed for you individually and is useful if you later need to dispute fraudulent activity or file a regulatory complaint.
Stop the ongoing flow of your hospital records. HealthConsent files HIPAA restriction requests so the medical and payment information exposed in this breach is not continuously re-shared with insurers, data brokers, and other covered entities.
Continue reading
Sources
- DataBreaches.net - 16 months after they experienced a ransomware attack, Dameron Hospital notifies those affected
- HIPAA Journal - Dameron Hospital Settles Class Action Data Breach Lawsuit For $650,000
- DataBreachToday / BankInfoSecurity - Two Ransomware Hacks Affect 1.1 Million Patients
- Stocktonia News - Deadline looms to seek compensation after Dameron Hospital data breach
- Top Class Actions - $650,000 Dameron Hospital data breach class action settlement
- Ransomware.live - Dameron Hospital entry on RansomHouse leak site
- HHS Office for Civil Rights Breach Portal
- California Attorney General Data Breach List - Dameron Hospital
- California AG - Redacted notice letter filed by Dameron Hospital
- Dameron Hospital Official Notice of Data Security Incident (PDF)
- KCRA 3 Sacramento - Dameron Hospital in Stockton hit by cyberattack
- ClassAction.org - $650K Settlement Resolves Dameron Hospital Data Breach Lawsuit
- ClaimDepot - Dameron Hospital Data Breach: multi-state AG filing summary
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- DataBreaches.net - 16 months after they experienced a ransomware attack, Dameron Hospital notifies those affected
- HIPAA Journal - Dameron Hospital Settles Class Action Data Breach Lawsuit For $650,000
- Information Security Media Group / DataBreachToday - Two Ransomware Hacks Affect 1.1 Million Patients
- Stocktonia News - Deadline looms to seek compensation after Dameron Hospital data breach
- Top Class Actions - $650,000 Dameron Hospital data breach class action settlement (court & counsel)
- Ransomware.live - Dameron Hospital entry on RansomHouse leak site
- HHS Office for Civil Rights Breach Portal
- California Attorney General Data Breach List - Dameron Hospital (breach date 11/04/2023, notified 04/02/2025)
- California AG - Redacted notice letter filed by Dameron Hospital (Experian IdentityWorks offer)
- Dameron Hospital Official Notice of Data Security Incident (hosted on hospital website via Cloudinary)
- KCRA 3 Sacramento - Dameron Hospital in Stockton hit by cyberattack (November 2023 initial coverage)
- ClassAction.org - $650K Settlement Resolves Dameron Hospital Data Breach Lawsuit (California laws cited)
- ClaimDepot - Dameron Hospital Data Breach: multi-state AG filing summary
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.