Newport Harbor Pathology Data Breach 2025: 119,341 Affected in California Pathology Lab Network Intrusion. No Credit Monitoring Offered. What To Do.
Newport Harbor Pathology Medical Group, Inc. (Newport Beach, CA) discovered unauthorized network access on November 11, 2024. HHS OCR lists 119,341 affected; a class-action complaint was filed April 7, 2025; notifications went to 14 state AGs. Names, SSNs, diagnoses, and pathology results were involved. No credit monitoring was offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 8, 2024
Earliest date of unauthorized access to the Newport Harbor Pathology network, per the entity's later forensic findings
Nov 11, 2024
Newport Harbor Pathology detects unauthorized activity on its IT network and begins an investigation with third-party cybersecurity specialists
Dec 6, 2024
First round of individual notification letters mailed to affected patients
Jan 10, 2025
Second round of individual notification letters mailed; HHS OCR breach filing submitted listing 119,341 affected individuals, Hacking/IT Incident at Network Server, Healthcare Provider
Apr 7, 2025
Matthew Miller v. Newport Harbor Pathology Medical Group, Inc. filed in the U.S. District Court for the Central District of California (Case No. 8:25-cv-00704), asserting class-action data-breach claims
Apr 14, 2025
Breach filed with the California Attorney General's office under California Civil Code § 1798.29; ClaimDepot aggregator lists notifications also filed with AGs in Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington
Oct 8, 2024
Earliest date of unauthorized access to the Newport Harbor Pathology network, per the entity's later forensic findings
Nov 11, 2024
Newport Harbor Pathology detects unauthorized activity on its IT network and begins an investigation with third-party cybersecurity specialists
Dec 6, 2024
First round of individual notification letters mailed to affected patients
Jan 10, 2025
Second round of individual notification letters mailed; HHS OCR breach filing submitted listing 119,341 affected individuals, Hacking/IT Incident at Network Server, Healthcare Provider
Apr 7, 2025
Matthew Miller v. Newport Harbor Pathology Medical Group, Inc. filed in the U.S. District Court for the Central District of California (Case No. 8:25-cv-00704), asserting class-action data-breach claims
Apr 14, 2025
Breach filed with the California Attorney General's office under California Civil Code § 1798.29; ClaimDepot aggregator lists notifications also filed with AGs in Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Newport Harbor Pathology Medical Group, Inc. is a Newport Beach, California pathology practice (located at 2901 W. Coast Highway, Suite 200) that provides anatomic pathology, clinical pathology, and cytopathology services to hospitals, clinics, and healthcare providers across Southern California. The group employs approximately 25 staff and generates an estimated $5 million in annual revenue. It operates under several trade names: Orange County Medical Group Pathology, Mission Laguna Pathology Medical Group, and Barr Dermatopathology. The practice has since rebranded as NewPath Labs.
On November 11, 2024, the practice detected unauthorized activity on its IT network and engaged third-party cybersecurity specialists to investigate. The forensic review concluded that an unauthorized party had access to the network between October 8, 2024 and November 11, 2024, and during that window viewed and copied files containing personal and protected health information.
Newport Harbor sent two waves of individual notification letters, on December 6, 2024 and January 10, 2025, and filed the breach with the U.S. Department of Health and Human Services Office for Civil Rights on January 10, 2025. The OCR portal lists the incident as a “Hacking/IT Incident” at “Network Server,” with the entity as a Healthcare Provider and 119,341 individuals affected. The breach was subsequently filed with the California Attorney General’s office on April 14, 2025. According to aggregator data, notifications were also submitted to the attorneys general of Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington, reflecting the national patient footprint of the lab’s referral network.
Public sources reviewed for this page do not identify a ransomware group or other named threat actor in connection with this incident. The notice describes the event as unauthorized network access; no leak-site posting has been reported.
Timeline
- October 8, 2024 — Earliest date of unauthorized access per the entity’s forensic findings.
- November 11, 2024 — Newport Harbor detects unauthorized activity and begins investigation.
- December 6, 2024 — First round of individual notification letters mailed.
- January 10, 2025 — Second round of notification letters mailed; HHS OCR filing submitted listing 119,341 affected.
- April 7, 2025 — Miller v. Newport Harbor Pathology Medical Group, Inc. filed in the U.S. District Court for the Central District of California (Case No. 8:25-cv-00704).
- April 14, 2025 — Breach filed with the California Attorney General’s office. Multi-state notifications also reported to the attorneys general of Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington.
What was exposed
According to Newport Harbor’s notice and follow-on legal coverage, the files involved in this incident contained varying combinations of the following:
- Full name
- Date of birth
- Address
- Social Security number
- Driver’s license number
- Other government-issued identification numbers
- Medical record number
- Diagnoses
- Pathology test results
- Health insurance information
Not every individual had every field exposed. The specific elements affecting a given person are listed in that person’s individual notification letter. Because pathology results and diagnoses were in the files, the exposure here goes beyond ordinary financial identity-theft risk and includes downstream medical-data resale and underwriting risk.
What Newport Harbor Pathology is offering
Newport Harbor Pathology did not offer complimentary credit monitoring to affected patients. The official notice letter directed individuals to request their one free annual credit report from each of the three major bureaus (Equifax, Experian, TransUnion) via AnnualCreditReport.com, and provided bureau phone numbers for placing credit freezes or fraud alerts. No enrollment code, no credit-monitoring vendor, and no dedicated call center for breach response were included in the notice.
The absence of credit monitoring is a focal point in the class-action litigation: several plaintiff firms have cited the failure to offer meaningful remediation as evidence of inadequate breach response for an incident involving Social Security numbers and clinical health records at this scale.
Class-action posture
A class-action complaint, Matthew Miller v. Newport Harbor Pathology Medical Group, Inc., was filed on April 7, 2025 in the U.S. District Court for the Central District of California (Case No. 8:25-cv-00704). The complaint asserts negligence, breach of implied contract, and related claims arising from the same incident reported to OCR.
Multiple additional plaintiff firms, including Strauss Borrelli PLLC, Levi & Korsinsky, LLP, Console & Associates, P.C., and Federman & Sherwood, have publicly opened investigations and are continuing intake. We will update this page when consolidations, settlements, or additional dockets become public.
What to do
This week:
- Place a free credit freeze with Equifax, Experian, and TransUnion. Because Social Security numbers and driver’s license numbers were in the stolen files, account-takeover and new-account fraud are realistic risks. A freeze prevents new accounts from being opened in your name and is more protective than monitoring alone. Newport Harbor Pathology did not offer complimentary credit monitoring, so you will need to set this up yourself.
- If your letter confirms SSN exposure, file IRS Form 14039 (Identity Theft Affidavit) before tax-filing season to flag your SSN against fraudulent tax-refund filings, and consider placing a fraud alert with the Social Security Administration.
- Consider enrolling in paid identity-theft monitoring. Given that SSNs, diagnoses, and pathology results were all in the stolen files, a credit-only product is insufficient. Look for a service that covers dark-web monitoring and medical identity alerts.
This month:
- Watch health insurance EOBs and medical bills. Because diagnoses and pathology results were in the exposed files, medical identity theft (services billed under your name and insurance) is a downstream risk that credit monitoring alone will not catch. Review every EOB for services you did not receive and report discrepancies to your insurer.
- If you are a California resident, the California Medical Information Act (CMIA) provides stronger protections than federal HIPAA and allows a private right of action for unauthorized disclosure of your medical information. Consult a California attorney if you believe your CMIA rights were violated.
- Decide on plaintiff representation. A complaint is already on file in C.D. Cal. and several firms are accepting intake. You are not required to retain any of them, and a typical class settlement compensates class members regardless of whether they signed an individual retainer.
- Stop the ongoing flow of your medical data. Once diagnoses and pathology results are out of a covered entity’s perimeter, they get scraped, enriched, and resold by data brokers and ad-tech firms. HealthConsent files HIPAA restriction requests, FTC Health Breach Notification Rule deletion requests, and state-law deletion requests across the data-broker ecosystem so the pathology and diagnostic data exposed in this breach is not continuously re-shared across health-data marketplaces.
Continue reading
- Your HIPAA rights: how to request restrictions, corrections, and an accounting of disclosures
- California Medical Information Act (CMIA): stronger protections for California patients
- All tracked healthcare data breaches
Sources
- JD Supra / Console and Associates, P.C.: Newport Harbor Pathology Files Notice of Recent Data Breach
- ClassAction.org: Newport Harbor Pathology Medical Group Data Breach Lawsuit
- Strauss Borrelli PLLC: Newport Harbor Pathology Medical Group Data Breach Investigation
- Levi & Korsinsky, LLP investigation announcement (AccessNewswire / KTLA)
- Federman & Sherwood: Newport Harbor Pathology Medical Group Data Breach Investigation
- Justia Dockets: Matthew Miller v. Newport Harbor Pathology Medical Group, Inc., 8:25-cv-00704 (C.D. Cal.)
- PacerMonitor: Miller v. Newport Harbor Pathology Medical Group, Inc. complaint
- Console & Associates P.C.: Newport Harbor Pathology Data Breach Investigation
- Board Cybersecurity: Newport Harbor Pathology Medical Group, Inc. cybersecurity incident tracker
- Newport Harbor Pathology Medical Group — Official Notice of Data Incident (notice letter PDF)
- ClaimDepot: Newport Harbor Pathology Medical Group Data Breach — multi-state AG filing summary
- HHS Office for Civil Rights Breach Portal
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- JD Supra / Console and Associates, P.C.: Newport Harbor Pathology Files Notice of Recent Data Breach
- ClassAction.org: Newport Harbor Pathology Medical Group Data Breach Lawsuit
- Strauss Borrelli PLLC: Newport Harbor Pathology Medical Group Data Breach Investigation
- Levi & Korsinsky, LLP investigation announcement (AccessNewswire / KTLA)
- Justia Dockets: Matthew Miller v. Newport Harbor Pathology Medical Group, Inc., 8:25-cv-00704 (C.D. Cal.)
- PacerMonitor: Miller v. Newport Harbor Pathology Medical Group, Inc. complaint
- Console & Associates P.C.: Newport Harbor Pathology Data Breach Investigation
- Board Cybersecurity: Newport Harbor Pathology Medical Group, Inc. cybersecurity incident tracker
- HHS Office for Civil Rights Breach Portal
- Federman & Sherwood: Newport Harbor Pathology Medical Group Data Breach Investigation (January 21, 2025)
- Newport Harbor Pathology Medical Group — Official Notice of Data Incident (notice letter PDF)
- ClaimDepot: Newport Harbor Pathology Medical Group Data Breach — multi-state AG filing summary
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.