Active breach tracker Los Angeles, CA Disclosed June 20, 2025

Frank D. Lanterman Regional Center Data Breach 2025: 19,000 IDD Service Recipients Exposed in Eight-Month Email Compromise

Los Angeles County Developmental Services Fdn., Inc. dba Frank D. Lanterman Regional Center filed a HIPAA breach notification with HHS OCR on June 20, 2025 reporting 19,000 affected individuals in a Hacking/IT Incident at a Network Server. Unauthorized access to the center's email environment ran from August 2024 through December 2024 and exposed SSNs, government IDs, medical and treatment records, and health insurance information of the developmentally disabled population it serves.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Aug 1, 2024

Unauthorized access to certain email accounts in the Lanterman email environment begins (per notification)

Dec 20, 2024

Suspicious activity detected; Lanterman engages third-party forensic specialists

Jun 16, 2025

Forensic review of affected mailboxes completed; PHI confirmed exposed

Jun 20, 2025

Breach reported to HHS Office for Civil Rights (Hacking/IT Incident — Network Server, 19,000 affected)

Jul 18, 2025

Individual notification letters mailed to affected service recipients and family members

Aug 1, 2025

Breach reported to the California Attorney General's Office under Cal. Civ. Code § 1798.82

Nov 28, 2025

Enrollment deadline for the 12-month complimentary Experian IdentityWorks monitoring offered to affected individuals

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical and treatment records

03

Contact & insurance

Phishing + targeted scams

Full name Address Government-issued ID number Health insurance information Financial and billing information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Los Angeles County Developmental Services Fdn., Inc., doing business as Frank D. Lanterman Regional Center (FDLRC), reported a HIPAA breach to the U.S. Department of Health and Human Services Office for Civil Rights on June 20, 2025, disclosing that 19,000 individuals had protected health information exposed in a Hacking/IT Incident affecting a Network Server. The underlying event was an eight-month unauthorized-access campaign against the center’s email environment that ran from August 2024 through December 2024, discovered on December 20, 2024. Lanterman is one of 21 nonprofit regional centers operating under contract with the California Department of Developmental Services (DDS) and coordinates intellectual and developmental disability services for residents of central Los Angeles County, the Hollywood Hills, and the Foothill communities.

Timeline of what we know

  • August 2024 — Unauthorized access to certain email accounts within Lanterman’s email environment begins. The dwell window ultimately spans roughly four months.
  • December 20, 2024 — Lanterman detects suspicious activity in the email environment and engages third-party computer forensics specialists to investigate.
  • June 16, 2025 — The comprehensive review of affected mailboxes is completed and Lanterman confirms that protected health information may have been viewed or removed.
  • June 20, 2025 — Lanterman files the federal HIPAA breach report with HHS OCR, characterized as a Hacking/IT Incident at a Network Server affecting 19,000 individuals.
  • July 18, 2025 — Individual notification letters are mailed to affected service recipients, family members, and other individuals whose data was housed in the compromised mailboxes.
  • August 1, 2025 — The breach is reported to the California Attorney General’s Office for posting on the state’s public database breach list.
  • November 28, 2025 — Enrollment deadline for the 12-month complimentary Experian IdentityWorks credit monitoring and identity-theft protection that Lanterman offered with the notification letters.

What was exposed

Per Lanterman’s notification letter and the state attorney general filing, the files in the compromised mailboxes may have contained any of the following, depending on the individual:

  • Full name and address
  • Date of birth
  • Social Security number
  • Government-issued ID number (e.g., driver’s license, state ID)
  • Medical and treatment records
  • Health insurance information
  • Financial and billing information

Not every element was present for every affected person, but the combination of full identifiers (SSN plus date of birth plus government ID) alongside medical records is the worst-case category for fraud risk.

Why this population matters

Regional centers like Lanterman are the entry point and lifelong service coordinator for Californians with intellectual and developmental disabilities: autism, cerebral palsy, epilepsy, and conditions diagnosed before age 18. The 19,000 individuals in scope are largely IDD service recipients and their family members. That is a uniquely vulnerable cohort:

  • Many have conservators, regional-center service coordinators, or family members managing financial accounts on their behalf, which creates additional attack surface for identity-theft and benefits-fraud schemes that exploit conservatorship and SSI or SSDI workflows.
  • Medical and treatment records in this population can include diagnostic codes, behavioral assessments, IPP (Individual Program Plan) goals, and Medi-Cal eligibility detail. That information is highly sensitive and not easily revoked.
  • A non-trivial share of affected individuals will have limited capacity to monitor their own credit, freeze bureaus, or recognize phishing follow-on activity. Care networks need to act on their behalf.

What Lanterman is offering

Lanterman is providing 12 months of complimentary credit monitoring and identity protection services through Experian IdentityWorks, including credit monitoring, fraud detection tools, and identity-restoration support. The activation code and enrollment instructions are printed in each individual notification letter. Lanterman set the enrollment deadline at November 28, 2025. The center also said it has hardened email-environment controls and provided additional cybersecurity training to its workforce.

Class-action and regulatory posture

As of this writing, no class-action lawsuit specific to the Frank D. Lanterman Regional Center breach has been publicly indexed. Plaintiff-side firms routinely solicit potential class members after IDD-population breaches because of the vulnerability profile and the sensitivity of records involved, so this status may change. The unrelated North Los Angeles County Regional Center breach reported in January 2025 has drawn separate class-action investigations and should not be confused with this Lanterman incident. The HHS OCR investigation remains open, and the California Attorney General’s office is the secondary state regulator of record.

What to do if you may be affected

This breach exposed full identifiers plus medical records. If you or a loved one received IDD services through Lanterman, or have a child or adult in your care who did, treat this as a high-severity exposure:

  1. Freeze the credit of the affected individual at all three bureaus, Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new-account fraud cold. Conservators and authorized representatives can place freezes on behalf of a person they assist.
  2. Enroll in the complimentary Experian IdentityWorks coverage Lanterman offered, using the activation code in the notification letter. If the November 28, 2025 deadline has passed, call the dedicated breach line printed on the letter to ask whether enrollment can still be processed.
  3. Request an IRS Identity Protection PIN (IP PIN) for the affected person at irs.gov/ippin. With SSNs in the wild, tax-refund fraud is a leading attack pattern, including against Social Security and disability-benefit recipients.
  4. Watch for medical identity theft. Request Explanation of Benefits statements from Medi-Cal, Medicare, and any private insurer used. Verify the listed claims. If you see services the affected person did not receive, report them to the insurer and to HHS OCR.
  5. Be skeptical of phone, text, and email outreach claiming to be from Lanterman, DDS, or a “fraud department.” Threat actors often follow large breaches with targeted phishing using leaked identifiers. Lanterman will not ask for full SSN, banking detail, or activation codes by phone.
  6. Document everything. Keep copies of the notification letter, freeze confirmations, and any suspicious activity. Conservators and parents should keep a single folder for the affected individual in case future litigation or settlement claims become available.

Lanterman confirmed the breach in its individual notification letters and in filings with HHS OCR and the California Attorney General.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.