Denali Biomedical Data Breach 2025: 2,413 Alaska Oncology Patients Exposed in ION Phishing Attack
Denali Biomedical, a Fairbanks, Alaska ambulatory surgical and oncology clinic in the Integrated Oncology Network (ION), reported a December 13–16, 2024 phishing intrusion that exposed ION email and SharePoint files containing names, Social Security numbers, dates of birth, diagnoses, lab results, medications, treatment information, and health insurance details for 2,413 patients. Filed with HHS OCR on June 27, 2025. Companion filing to roughly two dozen other ION-affiliated cancer practices. Multiple class-action investigations underway.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 13, 2024
Unauthorized parties begin accessing ION employee email and SharePoint accounts via phishing scheme; compromised accounts contained Denali Biomedical patient records
Dec 16, 2024
Unauthorized access window closes (three-day intrusion)
May 9, 2025
ION forensic investigation concludes; determines unauthorized actor accessed email and SharePoint accounts containing Denali Biomedical patient information
Jun 13, 2025
ION notifies its affiliated practices, including Denali Biomedical, that their patient data was within the compromised accounts
Jun 27, 2025
HIPAA breach notification filed with HHS Office for Civil Rights (2,413 individuals; hacking/IT incident; location of PHI listed as Email)
Jul 9, 2025
Denali Biomedical begins mailing individual notification letters to affected patients
Jul 16, 2025
Strauss Borrelli PLLC publicly opens a Denali Biomedical class-action investigation; Federman & Sherwood and other plaintiffs' firms follow
Dec 13, 2024
Unauthorized parties begin accessing ION employee email and SharePoint accounts via phishing scheme; compromised accounts contained Denali Biomedical patient records
Dec 16, 2024
Unauthorized access window closes (three-day intrusion)
May 9, 2025
ION forensic investigation concludes; determines unauthorized actor accessed email and SharePoint accounts containing Denali Biomedical patient information
Jun 13, 2025
ION notifies its affiliated practices, including Denali Biomedical, that their patient data was within the compromised accounts
Jun 27, 2025
HIPAA breach notification filed with HHS Office for Civil Rights (2,413 individuals; hacking/IT incident; location of PHI listed as Email)
Jul 9, 2025
Denali Biomedical begins mailing individual notification letters to affected patients
Jul 16, 2025
Strauss Borrelli PLLC publicly opens a Denali Biomedical class-action investigation; Federman & Sherwood and other plaintiffs' firms follow
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Denali Biomedical, an ambulatory surgical and oncology clinic in Fairbanks, Alaska that operates as part of the Integrated Oncology Network (ION), filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 27, 2025, reporting 2,413 affected individuals in a hacking/IT incident traced to ION’s email and SharePoint environment. Denali Biomedical’s filing was one of roughly two dozen separate filings made by ION-affiliated cancer practices on the same date in connection with the same underlying intrusion, which collectively touched more than 117,000 patients across approximately twelve states.
The root cause was a phishing attack in December 2024 that gave an external actor access to a limited number of ION employee email mailboxes and SharePoint files containing patient records for ION-affiliated practices, including Denali Biomedical. ION’s forensic review concluded on May 9, 2025 that patient data was within the compromised accounts. Because those files included clinical content (diagnoses, lab results, medications, treatment information) alongside Social Security numbers, the breach exposes Denali Biomedical’s cancer and surgical patients to elevated risks of targeted scams and medical identity theft.
Timeline
- December 13, 2024 — Unauthorized parties gain access to a limited number of ION employee email and SharePoint accounts via a phishing scheme. The compromised accounts contained Denali Biomedical patient records.
- December 16, 2024 — Unauthorized access window closes (three-day intrusion).
- May 9, 2025 — ION’s forensic investigation determines an unauthorized actor accessed email and SharePoint accounts containing Denali Biomedical patient information.
- June 13, 2025 — ION notifies Denali Biomedical and its other affiliated practices that their patient data was within the compromised accounts.
- June 27, 2025 — HIPAA breach notification filed with HHS OCR by Denali Biomedical (2,413 individuals; hacking/IT incident; location of breached PHI listed as Email). Roughly two dozen sister ION practices file the same day.
- July 9, 2025 — Denali Biomedical begins mailing individual notification letters to affected Alaska patients.
- July 16, 2025 — Strauss Borrelli PLLC publicly opens a Denali Biomedical–specific class-action investigation. Federman & Sherwood and other plaintiffs’ firms publish parallel investigation notices.
What was exposed
Per the HIPAA Journal summary, the BankInfoSecurity reporting on the ION-wide incident, and the law-firm investigative summaries from Strauss Borrelli and Federman & Sherwood, the compromised ION email mailboxes and SharePoint folders contained Denali Biomedical patient records including:
- Names, addresses, and dates of birth
- Social Security numbers (reported as exposed for at least a subset of affected individuals)
- Financial account information
- Health insurance and claims information
- Provider names and dates of treatment
- Clinical data: diagnoses (including cancer diagnoses), lab results, medications, and treatment information
The OCR portal entry categorizes the breach as a hacking/IT incident with the location of breached PHI listed as Email, consistent with the email-and-SharePoint scope described by counsel and the trade press. Denali Biomedical itself is the covered entity on the OCR filing; ION’s role in the incident is that of a business associate / shared services parent whose compromised infrastructure held the Denali patient files.
Why this breach is sensitive — oncology and surgical context
Denali Biomedical is registered with CMS as an Ambulatory Surgical Clinic/Center and operates as part of ION’s radiation oncology and cancer center footprint. The exposed records therefore can reveal:
- The fact of a cancer diagnosis or other surgical indication. A sensitive health attribute on its own, capable of affecting insurance underwriting, employment, and personal relationships if disclosed.
- Specific cancer types, staging language in lab and pathology results, and treatment regimens including chemotherapy and radiation protocols. In many cases these identify the cancer with high specificity.
- In some patient files, results of genetic testing that is now routine in modern oncology workups (BRCA, Lynch syndrome, somatic tumor panels). Genetic information has heightened federal protection under GINA, and disclosure can affect biological relatives who never consented to the testing.
The combination of name plus Social Security number plus cancer diagnosis is unusually attractive to fraudsters running medical-identity-theft schemes and to bad-faith actors who target cancer patients with treatment-themed phishing. The Denali cohort (2,413 patients) is small relative to the ION-wide tally, but the per-individual risk profile is identical to the largest affiliated practices.
What Denali Biomedical is offering
Per the ION-wide reporting in HIPAA Journal and the law-firm investigative summaries covering this incident, affected individuals are being offered complimentary credit monitoring, dark web monitoring, and identity restoration services, with enrollment instructions included in the individual notification letters mailed beginning July 9, 2025. The specific duration of the monitoring offer (commonly 12 or 24 months for incidents of this severity) is not detailed in the public investigative summaries reviewed for the Denali cohort; affected individuals should refer to their notification letter for the exact term and the single-use enrollment code.
ION has stated, through the consolidated reporting on the broader incident, that it has implemented additional safeguards on email and SharePoint access following the intrusion.
Class-action and regulatory posture
As of this writing, multiple plaintiffs’ firms have publicly opened investigations of the Denali Biomedical filing and the broader ION incident, but no consolidated class action has been independently confirmed in the public docket specifically captioned against Denali Biomedical. A federal class action was filed against the parent ION in the U.S. District Court for the Southern District of California in July 2025; the ION action does not, on its face, name Denali Biomedical as a separate defendant. Firms publicly soliciting affected Denali patients include:
- Strauss Borrelli PLLC (Samuel J. Strauss leading; firm published a dedicated Denali Biomedical investigation page on July 16, 2025)
- Federman & Sherwood
- Schubert Jonckheer & Kolbe LLP
- Lynch Carpenter LLP
The HHS OCR portal entry remains open (not closed). Because the same phishing attack affected roughly two dozen ION-affiliated practices that filed separately on June 27, 2025, a consolidated multi-entity class action remains plausible but had not been filed against Denali Biomedical specifically at the time of this update.
What to do if you may be affected
If you received care at Denali Biomedical in Fairbanks (or at another ION-affiliated practice), assume you are within the affected population until your individual notification letter confirms otherwise.
- Enroll in the credit-monitoring offer using the activation code in your notification letter. The enrollment code is single-use; do not let the deadline lapse.
- Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers were among the data exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible at any time.
- Review your Explanation of Benefits statements from your health insurer for unfamiliar claims, particularly oncology- or surgery-related billing that does not match services you received. Medical identity theft is the most consequential risk profile for this specific incident.
- Be skeptical of unsolicited contact that references your cancer treatment or surgery. With names paired to specific diagnoses and treatment dates, follow-on scams are easier to make convincing. Verify anything that claims to come from Denali Biomedical, your oncologist, or your insurer by calling a number you already have on file.
- Consider an IRS identity-protection PIN. With Social Security numbers in the wild, the IRS IP PIN is a strong defense against tax-refund fraud.
- If genetic testing was part of your care, ask Denali Biomedical in writing whether your genetic results were among the documents exposed. A written confirmation is worth keeping.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record of the June 27, 2025 filing (2,413 affected; hacking/IT incident; email location).
- HIPAA Journal — Phishing Attack Affects Multiple Cancer Treatment Centers — confirms 2,413 affected for Denali Biomedical, December 13–16, 2024 access window, and the full exposed-data inventory including Social Security numbers, credit-monitoring offer, and ION-wide scope.
- BankInfoSecurity — Email Hack Affects at Least 24 Cancer Care Practices — confirms the ION-wide scope, the May 9, 2025 forensic determination date, and ION’s business-associate role.
- Strauss Borrelli PLLC — Denali Biomedical Data Breach Investigation — confirms Denali-specific class-action investigation, June 27, 2025 OCR filing, ION administrative parent relationship, and Fairbanks, Alaska location.
- Federman & Sherwood — Denali Biomedical Data Breach Investigation — confirms 2,413 affected, July 9, 2025 notification mailing date, and the phishing/email vector.
- OpenNPI — Denali Biomedical LLC — confirms Denali Biomedical’s CMS taxonomy as an Ambulatory Surgical Clinic/Center at 2485 Chief William Dr, Fairbanks, AK 99709.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Phishing Attack Affects Multiple Cancer Treatment Centers
- BankInfoSecurity — Email Hack Affects at Least 24 Cancer Care Practices
- Strauss Borrelli PLLC — Denali Biomedical Data Breach Investigation
- Federman & Sherwood — Denali Biomedical Data Breach Investigation
- OpenNPI — Denali Biomedical LLC (Ambulatory Surgical Clinic/Center, Fairbanks AK)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.