Nephrology Associates Medical Group Data Breach 2026: 4,631 California Kidney Patients Exposed. No Credit Monitoring Offered. What To Do
Nephrology Associates Medical Group (NAMG), a 16-office California nephrology practice serving the Inland Empire and Coachella Valley, disclosed in February 2026 a May 2025 employee email compromise exposing names, Social Security numbers, dates of birth, treatment records, health insurance, and billing data for 4,631 dialysis and CKD patients. No credit monitoring offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
May 20, 2025
Suspicious activity detected on network; forensic investigators engaged
May 20, 2025
Attacker gained access
Dec 2, 2025
Investigation concludes; PHI exposure confirmed
Feb 25, 2026
Date on entity's data breach notice
Feb 27, 2026
Press release; individual notification mailing; HHS OCR filing
May 20, 2025
Suspicious activity detected on network; forensic investigators engaged
May 20, 2025
Attacker gained access
Dec 2, 2025
Investigation concludes; PHI exposure confirmed
Feb 25, 2026
Date on entity's data breach notice
Feb 27, 2026
Press release; individual notification mailing; HHS OCR filing
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Nephrology Associates Medical Group (NAMG) is a long-established (40+ years) California nephrology practice serving the Inland Empire (Riverside and San Bernardino counties) and the Coachella Valley. NAMG operates 16 offices plus a dialysis center and hospital network, treating chronic kidney disease (CKD), end-stage renal disease / dialysis, kidney transplant, and kidney stones.
On May 20, 2025, NAMG detected suspicious activity on its network and engaged a third-party forensic investigator. The investigation concluded on December 2, 2025, confirming PHI exposure. NAMG dated its public notice February 25, 2026 and issued a press release / mailed individual notification letters on February 27, 2026 — confirming 4,631 affected individuals.
The entry vector was a compromised employee email account. Forensics found broader network access and file exfiltration; the email account was the initial foothold. No ransomware group has publicly claimed responsibility. No leak-site listing has been observed.
Notable timing concerns:
- 6+ month dwell time between detection (May 2025) and confirmation (December 2025).
- 9+ month notification lag between intrusion and patient notice — exceeds typical HIPAA Breach Notification Rule expectations (60 days from discovery).
What was stolen
Per NAMG’s notice:
- Full name
- Social Security number
- Date of birth
- Medical / health information
- Treatment / diagnostic information
- Health insurance information
- Billing / payment information
- Credentialing information (suggests provider/staff records may also be in scope)
What NAMG is offering
NAMG’s notice does not offer complimentary credit monitoring or identity theft protection. This is unusual for a breach with full SSN exposure and is likely to be a focal point of any class action.
- Toll-free call center: (844) 443-1521 (Monday to Friday, 6:30 a.m. to 3:30 p.m. Pacific)
- Security uplift: stronger passwords, forced rotation, reduced access permissions, offline storage of legacy data
What to do
- Place free credit freezes at Equifax, Experian, TransUnion. NAMG is not providing monitoring.
- File IRS Form 14039 (Identity Theft Affidavit). Full SSN is in scope.
- Consider purchasing your own credit monitoring given the SSN + DOB + medical + billing exposure profile.
- Cancel and reissue any payment cards that may be tied to billing/payment information.
- Watch your Medicare Summary Notice for unfamiliar dialysis or nephrology claims.
- Stop the ongoing flow of your kidney-care data. HealthConsent files HIPAA restriction requests so the dialysis, lab, and transplant data exposed in this breach is not continuously re-shared.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Nephrology Associates Medical Group: Data Breach Notice
- PRNewswire: NAMG Notifies Patients of Data Security Incident
- HIPAA Journal: Valley Radiology / Nephrology Associates Coverage
- ClassAction.org: Nephrology Associates February 2026
- Lynch Carpenter Investigation Announcement
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.