Active breach tracker Inland Empire / Coachella Valley, CA Disclosed February 27, 2026

Nephrology Associates Medical Group Data Breach 2026: 4,631 California Kidney Patients Exposed. No Credit Monitoring Offered. What To Do

Nephrology Associates Medical Group (NAMG), a 16-office California nephrology practice serving the Inland Empire and Coachella Valley, disclosed in February 2026 a May 2025 employee email compromise exposing names, Social Security numbers, dates of birth, treatment records, health insurance, and billing data for 4,631 dialysis and CKD patients. No credit monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 20, 2025

Suspicious activity detected on network; forensic investigators engaged

May 20, 2025

Attacker gained access

Dec 2, 2025

Investigation concludes; PHI exposure confirmed

Feb 25, 2026

Date on entity's data breach notice

Feb 27, 2026

Press release; individual notification mailing; HHS OCR filing

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security number Date of birth

02

Health records

Don't expire and can't be reissued

Treatment / diagnostic information

03

Contact & insurance

Phishing + targeted scams

Full name Medical / health information Health insurance information Billing / payment information Credentialing information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Lynch Carpenter LLP (publicly investigating) Federman & Sherwood (publicly investigating) Strauss Borrelli PLLC (publicly investigating) The Lyon Firm (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Nephrology Associates Medical Group (NAMG) is a long-established (40+ years) California nephrology practice serving the Inland Empire (Riverside and San Bernardino counties) and the Coachella Valley. NAMG operates 16 offices plus a dialysis center and hospital network, treating chronic kidney disease (CKD), end-stage renal disease / dialysis, kidney transplant, and kidney stones.

On May 20, 2025, NAMG detected suspicious activity on its network and engaged a third-party forensic investigator. The investigation concluded on December 2, 2025, confirming PHI exposure. NAMG dated its public notice February 25, 2026 and issued a press release / mailed individual notification letters on February 27, 2026 — confirming 4,631 affected individuals.

The entry vector was a compromised employee email account. Forensics found broader network access and file exfiltration; the email account was the initial foothold. No ransomware group has publicly claimed responsibility. No leak-site listing has been observed.

Notable timing concerns:

  • 6+ month dwell time between detection (May 2025) and confirmation (December 2025).
  • 9+ month notification lag between intrusion and patient notice — exceeds typical HIPAA Breach Notification Rule expectations (60 days from discovery).

What was stolen

Per NAMG’s notice:

  • Full name
  • Social Security number
  • Date of birth
  • Medical / health information
  • Treatment / diagnostic information
  • Health insurance information
  • Billing / payment information
  • Credentialing information (suggests provider/staff records may also be in scope)

What NAMG is offering

NAMG’s notice does not offer complimentary credit monitoring or identity theft protection. This is unusual for a breach with full SSN exposure and is likely to be a focal point of any class action.

  • Toll-free call center: (844) 443-1521 (Monday to Friday, 6:30 a.m. to 3:30 p.m. Pacific)
  • Security uplift: stronger passwords, forced rotation, reduced access permissions, offline storage of legacy data

What to do

  1. Place free credit freezes at Equifax, Experian, TransUnion. NAMG is not providing monitoring.
  2. File IRS Form 14039 (Identity Theft Affidavit). Full SSN is in scope.
  3. Consider purchasing your own credit monitoring given the SSN + DOB + medical + billing exposure profile.
  4. Cancel and reissue any payment cards that may be tied to billing/payment information.
  5. Watch your Medicare Summary Notice for unfamiliar dialysis or nephrology claims.
  6. Stop the ongoing flow of your kidney-care data. HealthConsent files HIPAA restriction requests so the dialysis, lab, and transplant data exposed in this breach is not continuously re-shared.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.