Active breach tracker Fairbanks, AK Disclosed June 27, 2025

Denali Biomedical Data Breach 2025: 2,413 Alaska Oncology Patients Exposed in ION Phishing Attack

Denali Biomedical, a Fairbanks, Alaska ambulatory surgical and oncology clinic in the Integrated Oncology Network (ION), reported a December 13–16, 2024 phishing intrusion that exposed ION email and SharePoint files containing names, Social Security numbers, dates of birth, diagnoses, lab results, medications, treatment information, and health insurance details for 2,413 patients. Filed with HHS OCR on June 27, 2025. Companion filing to roughly two dozen other ION-affiliated cancer practices. Multiple class-action investigations underway.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 13, 2024

Unauthorized parties begin accessing ION employee email and SharePoint accounts via phishing scheme; compromised accounts contained Denali Biomedical patient records

Dec 16, 2024

Unauthorized access window closes (three-day intrusion)

May 9, 2025

ION forensic investigation concludes; determines unauthorized actor accessed email and SharePoint accounts containing Denali Biomedical patient information

Jun 13, 2025

ION notifies its affiliated practices, including Denali Biomedical, that their patient data was within the compromised accounts

Jun 27, 2025

HIPAA breach notification filed with HHS Office for Civil Rights (2,413 individuals; hacking/IT incident; location of PHI listed as Email)

Jul 9, 2025

Denali Biomedical begins mailing individual notification letters to affected patients

Jul 16, 2025

Strauss Borrelli PLLC publicly opens a Denali Biomedical class-action investigation; Federman & Sherwood and other plaintiffs' firms follow

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers

02

Health records

Don't expire and can't be reissued

Diagnoses (including cancer diagnoses) Lab results Medications Treatment information and dates of treatment

03

Contact & insurance

Phishing + targeted scams

Names Addresses Dates of birth Financial account information Health insurance and claims information Provider names

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC Federman & Sherwood Schubert Jonckheer & Kolbe LLP Lynch Carpenter LLP
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Denali Biomedical, an ambulatory surgical and oncology clinic in Fairbanks, Alaska that operates as part of the Integrated Oncology Network (ION), filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 27, 2025, reporting 2,413 affected individuals in a hacking/IT incident traced to ION’s email and SharePoint environment. Denali Biomedical’s filing was one of roughly two dozen separate filings made by ION-affiliated cancer practices on the same date in connection with the same underlying intrusion, which collectively touched more than 117,000 patients across approximately twelve states.

The root cause was a phishing attack in December 2024 that gave an external actor access to a limited number of ION employee email mailboxes and SharePoint files containing patient records for ION-affiliated practices, including Denali Biomedical. ION’s forensic review concluded on May 9, 2025 that patient data was within the compromised accounts. Because those files included clinical content (diagnoses, lab results, medications, treatment information) alongside Social Security numbers, the breach exposes Denali Biomedical’s cancer and surgical patients to elevated risks of targeted scams and medical identity theft.

Timeline

  • December 13, 2024 — Unauthorized parties gain access to a limited number of ION employee email and SharePoint accounts via a phishing scheme. The compromised accounts contained Denali Biomedical patient records.
  • December 16, 2024 — Unauthorized access window closes (three-day intrusion).
  • May 9, 2025 — ION’s forensic investigation determines an unauthorized actor accessed email and SharePoint accounts containing Denali Biomedical patient information.
  • June 13, 2025 — ION notifies Denali Biomedical and its other affiliated practices that their patient data was within the compromised accounts.
  • June 27, 2025 — HIPAA breach notification filed with HHS OCR by Denali Biomedical (2,413 individuals; hacking/IT incident; location of breached PHI listed as Email). Roughly two dozen sister ION practices file the same day.
  • July 9, 2025 — Denali Biomedical begins mailing individual notification letters to affected Alaska patients.
  • July 16, 2025 — Strauss Borrelli PLLC publicly opens a Denali Biomedical–specific class-action investigation. Federman & Sherwood and other plaintiffs’ firms publish parallel investigation notices.

What was exposed

Per the HIPAA Journal summary, the BankInfoSecurity reporting on the ION-wide incident, and the law-firm investigative summaries from Strauss Borrelli and Federman & Sherwood, the compromised ION email mailboxes and SharePoint folders contained Denali Biomedical patient records including:

  • Names, addresses, and dates of birth
  • Social Security numbers (reported as exposed for at least a subset of affected individuals)
  • Financial account information
  • Health insurance and claims information
  • Provider names and dates of treatment
  • Clinical data: diagnoses (including cancer diagnoses), lab results, medications, and treatment information

The OCR portal entry categorizes the breach as a hacking/IT incident with the location of breached PHI listed as Email, consistent with the email-and-SharePoint scope described by counsel and the trade press. Denali Biomedical itself is the covered entity on the OCR filing; ION’s role in the incident is that of a business associate / shared services parent whose compromised infrastructure held the Denali patient files.

Why this breach is sensitive — oncology and surgical context

Denali Biomedical is registered with CMS as an Ambulatory Surgical Clinic/Center and operates as part of ION’s radiation oncology and cancer center footprint. The exposed records therefore can reveal:

  • The fact of a cancer diagnosis or other surgical indication. A sensitive health attribute on its own, capable of affecting insurance underwriting, employment, and personal relationships if disclosed.
  • Specific cancer types, staging language in lab and pathology results, and treatment regimens including chemotherapy and radiation protocols. In many cases these identify the cancer with high specificity.
  • In some patient files, results of genetic testing that is now routine in modern oncology workups (BRCA, Lynch syndrome, somatic tumor panels). Genetic information has heightened federal protection under GINA, and disclosure can affect biological relatives who never consented to the testing.

The combination of name plus Social Security number plus cancer diagnosis is unusually attractive to fraudsters running medical-identity-theft schemes and to bad-faith actors who target cancer patients with treatment-themed phishing. The Denali cohort (2,413 patients) is small relative to the ION-wide tally, but the per-individual risk profile is identical to the largest affiliated practices.

What Denali Biomedical is offering

Per the ION-wide reporting in HIPAA Journal and the law-firm investigative summaries covering this incident, affected individuals are being offered complimentary credit monitoring, dark web monitoring, and identity restoration services, with enrollment instructions included in the individual notification letters mailed beginning July 9, 2025. The specific duration of the monitoring offer (commonly 12 or 24 months for incidents of this severity) is not detailed in the public investigative summaries reviewed for the Denali cohort; affected individuals should refer to their notification letter for the exact term and the single-use enrollment code.

ION has stated, through the consolidated reporting on the broader incident, that it has implemented additional safeguards on email and SharePoint access following the intrusion.

Class-action and regulatory posture

As of this writing, multiple plaintiffs’ firms have publicly opened investigations of the Denali Biomedical filing and the broader ION incident, but no consolidated class action has been independently confirmed in the public docket specifically captioned against Denali Biomedical. A federal class action was filed against the parent ION in the U.S. District Court for the Southern District of California in July 2025; the ION action does not, on its face, name Denali Biomedical as a separate defendant. Firms publicly soliciting affected Denali patients include:

  • Strauss Borrelli PLLC (Samuel J. Strauss leading; firm published a dedicated Denali Biomedical investigation page on July 16, 2025)
  • Federman & Sherwood
  • Schubert Jonckheer & Kolbe LLP
  • Lynch Carpenter LLP

The HHS OCR portal entry remains open (not closed). Because the same phishing attack affected roughly two dozen ION-affiliated practices that filed separately on June 27, 2025, a consolidated multi-entity class action remains plausible but had not been filed against Denali Biomedical specifically at the time of this update.

What to do if you may be affected

If you received care at Denali Biomedical in Fairbanks (or at another ION-affiliated practice), assume you are within the affected population until your individual notification letter confirms otherwise.

  • Enroll in the credit-monitoring offer using the activation code in your notification letter. The enrollment code is single-use; do not let the deadline lapse.
  • Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers were among the data exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible at any time.
  • Review your Explanation of Benefits statements from your health insurer for unfamiliar claims, particularly oncology- or surgery-related billing that does not match services you received. Medical identity theft is the most consequential risk profile for this specific incident.
  • Be skeptical of unsolicited contact that references your cancer treatment or surgery. With names paired to specific diagnoses and treatment dates, follow-on scams are easier to make convincing. Verify anything that claims to come from Denali Biomedical, your oncologist, or your insurer by calling a number you already have on file.
  • Consider an IRS identity-protection PIN. With Social Security numbers in the wild, the IRS IP PIN is a strong defense against tax-refund fraud.
  • If genetic testing was part of your care, ask Denali Biomedical in writing whether your genetic results were among the documents exposed. A written confirmation is worth keeping.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.