Active breach tracker Redding, CA Disclosed December 28, 2025

Docs Medical Group, Inc. dba Pulse Urgent Care Data Breach 2025: 4,035 Affected · Hacking/IT Incident · CA. Filed With HHS OCR. What To Do.

Docs Medical Group, Inc. dba Pulse Urgent Care (Redding, CA) filed a HIPAA breach notification with the HHS Office for Civil Rights on December 28, 2025, reporting 4,035 affected individuals. The Medusa ransomware group claimed the March 24, 2025 intrusion. Notification letters went out on December 29, 2025 with 12 months of TransUnion credit monitoring.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Mar 24, 2025

detected

Mar 24, 2025

Breach detected

Nov 26, 2025

other

Dec 26, 2025

other

Dec 28, 2025

filed

Dec 28, 2025

Disclosed publicly

Dec 29, 2025

notified

Jan 5, 2026

class-action

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number Passport number

02

Health records

Don't expire and can't be reissued

Clinical or treatment information (lab results, prescription information, provider information)

03

Contact & insurance

Phishing + targeted scams

Name Health insurance information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Docs Medical Group, Inc., the Redding, California operator of Pulse Urgent Care, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on December 28, 2025, reporting 4,035 affected individuals. The clinic detected suspicious activity on its network in late March 2025, and the Medusa ransomware group subsequently claimed responsibility on its dark-web leak site and demanded a $120,000 ransom. Substitute notice was issued on December 29, 2025.

Timeline

  • March 24, 2025 — Pulse Urgent Care detected suspicious activity on its network and contained the intrusion.
  • November 26, 2025 — Forensic review completed; the entity identified the specific individuals and data elements involved.
  • December 26, 2025 — Notification letter dated and provided to regulators (California Attorney General copy filed on this date).
  • December 28, 2025 — HHS OCR breach report posted listing 4,035 affected individuals, “Hacking/IT Incident,” Network Server.
  • December 29, 2025 — Substitute notice published via PR Newswire; individual notification letters mailed to those with addresses on file.
  • January 5, 2026 — Cole & Van Note publicly announces a class-action investigation on behalf of affected patients.

Exposed data

Per the entity’s own notice, the data elements that may have been involved vary by individual and include name; date of birth; Social Security number; driver’s license number; passport number; clinical or treatment information including lab results, prescription information, and provider information; and health insurance information.

The combination of Social Security number, government ID number, and clinical detail is high-severity. Driver’s license and passport numbers, in particular, enable synthetic-identity fraud that credit monitoring alone does not detect.

What Pulse Urgent Care is offering

Eligible individuals are offered 12 months of complimentary credit monitoring and identity-theft protection through TransUnion, with a 90-day enrollment window from receipt of the notification letter. The entity has stood up a dedicated call center at 1-833-303-4915, staffed Monday through Friday, 8:00 a.m. to 8:00 p.m. Eastern.

Class-action posture

Cole & Van Note, a California consumer-protection class-action firm, announced an investigation on January 5, 2026, and has since closed intake on this matter (“THIS INVESTIGATION IS NO LONGER ACCEPTING NEW CLIENTS”), which typically signals that a complaint has been filed or that the firm has consolidated its client roster ahead of filing. Additional plaintiffs’ firms commonly file parallel actions for breaches of this size in California state and federal court.

What to do if you may be affected

  • Enroll in the TransUnion offer before the 90-day deadline. It is free and does not waive any legal claims.
  • Freeze your credit with Equifax, Experian, and TransUnion. A freeze is free, takes about ten minutes per bureau, and is materially more protective than monitoring alone against new-account fraud.
  • If your driver’s license or passport number was listed in your individual notice, contact the California DMV and the U.S. Department of State respectively to flag the document and request guidance on replacement.
  • Watch for medical-identity misuse. Review your explanation-of-benefits statements from health insurers for services you did not receive. Medical identity theft is harder to detect than credit fraud and is not surfaced by standard credit monitoring.
  • Keep the notification letter. If a class action is certified, the letter will be the simplest proof of class membership.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.