Active breach tracker Newport Beach, CA Disclosed January 10, 2025

Newport Beach Healthcare Data Breach 2025: Newport Harbor Pathology. What Was Stolen and What To Do

The Newport Beach, CA pathology breach disclosed January 2025. 501+ patients had names, SSNs, diagnoses, and pathology test results exposed by an unauthorized-access attack from October to November 2024. If you got a notification letter, here is exactly what was taken and what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 8, 2024

Attacker gained access

Nov 11, 2024

Unauthorized access detected

Dec 6, 2024

First notification letters mailed

Jan 10, 2025

Filed with HHS Office for Civil Rights

Apr 14, 2025

Filed with California Attorney General

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license / government ID

02

Health records

Don't expire and can't be reissued

Diagnoses Pathology test results Medical record number

03

Contact & insurance

Phishing + targeted scams

Full name Home address Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli Console & Associates Federman & Sherwood Levi & Korsinsky
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Newport Harbor Pathology Medical Group is a Newport Beach, California pathology practice that also operates as Orange County Medical Group Pathology, Mission Laguna Pathology Medical Group, and Barr Dermatopathology. On November 11, 2024, NHPMG detected unauthorized access to parts of its network.

A subsequent forensic investigation confirmed that an outside attacker had access to NHPMG’s systems for over a month, from October 8 through November 11, 2024. During that window, the attacker viewed and potentially copied patient files. The breach was filed with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) on January 10, 2025, and with the California Attorney General’s office on April 14, 2025.

If you received pathology or dermatopathology services through any of those four entities between roughly 2010 and late 2024, your records may have been in the system the attacker accessed.

What was stolen

The forensic investigation confirmed that the compromised parts of NHPMG’s network contained the following types of patient information:

  • Full name
  • Date of birth
  • Home address
  • Diagnoses
  • Pathology test results (including dermatopathology: skin biopsies and lesion assessments)
  • Medical record number
  • Social Security number
  • Driver’s license or other government ID number
  • Health insurance information

This combination is enough to support medical identity theft (someone using your insurance for their own care), financial identity theft (your SSN + DOB + driver’s license is most of what a fraudster needs to open accounts), and targeted attacks based on your medical history.

What NHPMG is offering

Affected patients received notification letters on December 6, 2024 and again on January 10, 2025. NHPMG’s response, by industry standard, includes some form of complimentary credit monitoring for affected individuals, typically 12 to 24 months.

Credit monitoring covers your wallet. It does not cover your health records. It tells you when someone opens a credit account in your name. It does not stop your name, SSN, diagnoses, and pathology results from circulating to data brokers, marketing firms, and research vendors that may have already purchased the data downstream.

What to do if you received a notification letter

This week:

  1. Accept the free credit monitoring that NHPMG offers in the letter. It is the floor, not the ceiling, but you should take it.
  2. Place a free credit freeze with Equifax, Experian, and TransUnion. This is stronger than credit monitoring; it prevents new accounts from being opened in your name at all. Free at all three bureaus.
  3. File an IRS identity-theft affidavit (Form 14039) so a fraudulent return can’t be filed under your SSN before yours.
  4. Review Explanation of Benefits (EOB) statements from your health insurer for any provider visits you don’t recognize. It is the earliest sign of medical identity theft.

This month:

  1. Stop your health data from being shared further. This is the part credit monitoring won’t do. HealthConsent automates HIPAA restriction requests and Health Information Exchange opt-outs across the entire healthcare ecosystem, so the diagnoses and test results that were stolen from NHPMG can’t continue to be sold or shared by other entities downstream.
  2. Confirm your provider’s response is enough. If the only thing NHPMG offers is credit monitoring, the response is incomplete for what was actually exposed. State privacy laws (California’s CMIA) give you additional rights that aren’t included in the standard breach-response package.

Frequently asked questions

How do I know if I’m affected?

If you received a pathology or dermatopathology service that was processed through NHPMG, Orange County Medical Group Pathology, Mission Laguna Pathology Medical Group, or Barr Dermatopathology between 2010 and late 2024, you may be affected. NHPMG was required to notify affected individuals directly by mail; if you didn’t receive a letter, you can contact NHPMG’s incident response line listed in the public notice.

Will the 501 figure go up?

Likely. The 501-individual count in the OCR portal is the initial filing and is marked as interim by HIPAA Journal. Many healthcare breaches see the affected-count grow significantly as the investigation completes. Watch the OCR Breach Portal for updates.

Should I sue?

Several law firms (Strauss Borrelli, Console & Associates, Federman & Sherwood, Levi & Korsinsky) have publicly announced class-action investigations. If you received a notification letter, you may be eligible to join one of those investigations. We can’t give you legal advice; we recommend speaking to your own attorney or one of the firms investigating.

Why does this matter beyond the credit-monitoring window?

Credit monitoring runs for 12 to 24 months. Your stolen pathology results, diagnoses, and SSN don’t expire on that timeline. They get sold to data brokers, used in targeted phishing campaigns, and surface in medical-identity-theft attempts for years afterward. Stopping the ongoing flow of your health data is a separate problem from monitoring credit, and the one most breach-response packages don’t address.

Is HealthConsent affiliated with NHPMG?

No. HealthConsent is an independent health-data privacy service. We build tools for patients to control where their health information flows after a breach (or before one). NHPMG is not a customer, partner, or affiliate.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.