Newport Beach Healthcare Data Breach 2025: Newport Harbor Pathology. What Was Stolen and What To Do
The Newport Beach, CA pathology breach disclosed January 2025. 501+ patients had names, SSNs, diagnoses, and pathology test results exposed by an unauthorized-access attack from October to November 2024. If you got a notification letter, here is exactly what was taken and what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 8, 2024
Attacker gained access
Nov 11, 2024
Unauthorized access detected
Dec 6, 2024
First notification letters mailed
Jan 10, 2025
Filed with HHS Office for Civil Rights
Apr 14, 2025
Filed with California Attorney General
Oct 8, 2024
Attacker gained access
Nov 11, 2024
Unauthorized access detected
Dec 6, 2024
First notification letters mailed
Jan 10, 2025
Filed with HHS Office for Civil Rights
Apr 14, 2025
Filed with California Attorney General
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Newport Harbor Pathology Medical Group is a Newport Beach, California pathology practice that also operates as Orange County Medical Group Pathology, Mission Laguna Pathology Medical Group, and Barr Dermatopathology. On November 11, 2024, NHPMG detected unauthorized access to parts of its network.
A subsequent forensic investigation confirmed that an outside attacker had access to NHPMG’s systems for over a month, from October 8 through November 11, 2024. During that window, the attacker viewed and potentially copied patient files. The breach was filed with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) on January 10, 2025, and with the California Attorney General’s office on April 14, 2025.
If you received pathology or dermatopathology services through any of those four entities between roughly 2010 and late 2024, your records may have been in the system the attacker accessed.
What was stolen
The forensic investigation confirmed that the compromised parts of NHPMG’s network contained the following types of patient information:
- Full name
- Date of birth
- Home address
- Diagnoses
- Pathology test results (including dermatopathology: skin biopsies and lesion assessments)
- Medical record number
- Social Security number
- Driver’s license or other government ID number
- Health insurance information
This combination is enough to support medical identity theft (someone using your insurance for their own care), financial identity theft (your SSN + DOB + driver’s license is most of what a fraudster needs to open accounts), and targeted attacks based on your medical history.
What NHPMG is offering
Affected patients received notification letters on December 6, 2024 and again on January 10, 2025. NHPMG’s response, by industry standard, includes some form of complimentary credit monitoring for affected individuals, typically 12 to 24 months.
Credit monitoring covers your wallet. It does not cover your health records. It tells you when someone opens a credit account in your name. It does not stop your name, SSN, diagnoses, and pathology results from circulating to data brokers, marketing firms, and research vendors that may have already purchased the data downstream.
What to do if you received a notification letter
This week:
- Accept the free credit monitoring that NHPMG offers in the letter. It is the floor, not the ceiling, but you should take it.
- Place a free credit freeze with Equifax, Experian, and TransUnion. This is stronger than credit monitoring; it prevents new accounts from being opened in your name at all. Free at all three bureaus.
- File an IRS identity-theft affidavit (Form 14039) so a fraudulent return can’t be filed under your SSN before yours.
- Review Explanation of Benefits (EOB) statements from your health insurer for any provider visits you don’t recognize. It is the earliest sign of medical identity theft.
This month:
- Stop your health data from being shared further. This is the part credit monitoring won’t do. HealthConsent automates HIPAA restriction requests and Health Information Exchange opt-outs across the entire healthcare ecosystem, so the diagnoses and test results that were stolen from NHPMG can’t continue to be sold or shared by other entities downstream.
- Confirm your provider’s response is enough. If the only thing NHPMG offers is credit monitoring, the response is incomplete for what was actually exposed. State privacy laws (California’s CMIA) give you additional rights that aren’t included in the standard breach-response package.
Frequently asked questions
How do I know if I’m affected?
If you received a pathology or dermatopathology service that was processed through NHPMG, Orange County Medical Group Pathology, Mission Laguna Pathology Medical Group, or Barr Dermatopathology between 2010 and late 2024, you may be affected. NHPMG was required to notify affected individuals directly by mail; if you didn’t receive a letter, you can contact NHPMG’s incident response line listed in the public notice.
Will the 501 figure go up?
Likely. The 501-individual count in the OCR portal is the initial filing and is marked as interim by HIPAA Journal. Many healthcare breaches see the affected-count grow significantly as the investigation completes. Watch the OCR Breach Portal for updates.
Should I sue?
Several law firms (Strauss Borrelli, Console & Associates, Federman & Sherwood, Levi & Korsinsky) have publicly announced class-action investigations. If you received a notification letter, you may be eligible to join one of those investigations. We can’t give you legal advice; we recommend speaking to your own attorney or one of the firms investigating.
Why does this matter beyond the credit-monitoring window?
Credit monitoring runs for 12 to 24 months. Your stolen pathology results, diagnoses, and SSN don’t expire on that timeline. They get sold to data brokers, used in targeted phishing campaigns, and surface in medical-identity-theft attempts for years afterward. Stopping the ongoing flow of your health data is a separate problem from monitoring credit, and the one most breach-response packages don’t address.
Is HealthConsent affiliated with NHPMG?
No. HealthConsent is an independent health-data privacy service. We build tools for patients to control where their health information flows after a breach (or before one). NHPMG is not a customer, partner, or affiliate.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: January 2025 Healthcare Data Breach Report
- JD Supra: Notice of Recent Data Breach
- ClassAction.org: Lawsuit Investigation
- Strauss Borrelli: Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.