Docs Medical Group, Inc. dba Pulse Urgent Care Data Breach 2025: 4,035 Affected · Hacking/IT Incident · CA. Filed With HHS OCR. What To Do.
Docs Medical Group, Inc. dba Pulse Urgent Care (Redding, CA) filed a HIPAA breach notification with the HHS Office for Civil Rights on December 28, 2025, reporting 4,035 affected individuals. The Medusa ransomware group claimed the March 24, 2025 intrusion. Notification letters went out on December 29, 2025 with 12 months of TransUnion credit monitoring.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Mar 24, 2025
detected
Mar 24, 2025
Breach detected
Nov 26, 2025
other
Dec 26, 2025
other
Dec 28, 2025
filed
Dec 28, 2025
Disclosed publicly
Dec 29, 2025
notified
Jan 5, 2026
class-action
Mar 24, 2025
detected
Mar 24, 2025
Breach detected
Nov 26, 2025
other
Dec 26, 2025
other
Dec 28, 2025
filed
Dec 28, 2025
Disclosed publicly
Dec 29, 2025
notified
Jan 5, 2026
class-action
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Docs Medical Group, Inc., the Redding, California operator of Pulse Urgent Care, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on December 28, 2025, reporting 4,035 affected individuals. The clinic detected suspicious activity on its network in late March 2025, and the Medusa ransomware group subsequently claimed responsibility on its dark-web leak site and demanded a $120,000 ransom. Substitute notice was issued on December 29, 2025.
Timeline
- March 24, 2025 — Pulse Urgent Care detected suspicious activity on its network and contained the intrusion.
- November 26, 2025 — Forensic review completed; the entity identified the specific individuals and data elements involved.
- December 26, 2025 — Notification letter dated and provided to regulators (California Attorney General copy filed on this date).
- December 28, 2025 — HHS OCR breach report posted listing 4,035 affected individuals, “Hacking/IT Incident,” Network Server.
- December 29, 2025 — Substitute notice published via PR Newswire; individual notification letters mailed to those with addresses on file.
- January 5, 2026 — Cole & Van Note publicly announces a class-action investigation on behalf of affected patients.
Exposed data
Per the entity’s own notice, the data elements that may have been involved vary by individual and include name; date of birth; Social Security number; driver’s license number; passport number; clinical or treatment information including lab results, prescription information, and provider information; and health insurance information.
The combination of Social Security number, government ID number, and clinical detail is high-severity. Driver’s license and passport numbers, in particular, enable synthetic-identity fraud that credit monitoring alone does not detect.
What Pulse Urgent Care is offering
Eligible individuals are offered 12 months of complimentary credit monitoring and identity-theft protection through TransUnion, with a 90-day enrollment window from receipt of the notification letter. The entity has stood up a dedicated call center at 1-833-303-4915, staffed Monday through Friday, 8:00 a.m. to 8:00 p.m. Eastern.
Class-action posture
Cole & Van Note, a California consumer-protection class-action firm, announced an investigation on January 5, 2026, and has since closed intake on this matter (“THIS INVESTIGATION IS NO LONGER ACCEPTING NEW CLIENTS”), which typically signals that a complaint has been filed or that the firm has consolidated its client roster ahead of filing. Additional plaintiffs’ firms commonly file parallel actions for breaches of this size in California state and federal court.
What to do if you may be affected
- Enroll in the TransUnion offer before the 90-day deadline. It is free and does not waive any legal claims.
- Freeze your credit with Equifax, Experian, and TransUnion. A freeze is free, takes about ten minutes per bureau, and is materially more protective than monitoring alone against new-account fraud.
- If your driver’s license or passport number was listed in your individual notice, contact the California DMV and the U.S. Department of State respectively to flag the document and request guidance on replacement.
- Watch for medical-identity misuse. Review your explanation-of-benefits statements from health insurers for services you did not receive. Medical identity theft is harder to detect than credit fraud and is not surfaced by standard credit monitoring.
- Keep the notification letter. If a class action is certified, the letter will be the simplest proof of class membership.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- Pulse Urgent Care substitute notice (PR Newswire, Dec. 29, 2025) — the entity’s own published notice with dates and offered services.
- Regulatory notification letter filed with the California Attorney General — the December 26, 2025 letter as filed with the CA AG.
- Comparitech reporting on the Medusa ransomware attack — corroborates the Medusa attribution and $120,000 ransom demand.
- HIPAA Journal coverage of five-provider cyber incidents — trade-press summary including this incident.
- Cole & Van Note class-action investigation announcement — the plaintiffs’ firm’s public filing notice.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Pulse Urgent Care substitute notice (PR Newswire, Dec. 29, 2025)
- Regulatory notification letter to California Attorney General
- Comparitech reporting on the Medusa ransomware attack
- HIPAA Journal coverage of five-provider cyber incidents
- Cole & Van Note class-action investigation announcement
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.