Active breach tracker San Francisco, California Disclosed December 18, 2025

North East Medical Services Data Breach 2025 (RansomHouse/UnitedLayer): 91,513 Patients at SF Bay Area FQHC Exposed. What To Do

North East Medical Services (NEMS), the San Francisco Bay Area FQHC that primarily serves Asian-American immigrant communities, disclosed a network intrusion at its third-party hosted managed service provider UnitedLayer. 91,513 individuals affected. Names, Social Security numbers, and medical information potentially exposed. Multiple plaintiffs' firms investigating. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 19, 2025

NEMS detects potential unauthorized access to data on UnitedLayer's hosted network

Oct 19, 2025

Date of unauthorized access per California AG filing

Nov 3, 2025

RansomHouse lists UnitedLayer on its dark-web leak site (estimated attack date October 23, 2025); UnitedLayer has not confirmed the claim

Dec 17, 2025

NEMS's review of potentially impacted data completes; affected individuals identified

Dec 18, 2025

HHS OCR portal submission (91,513 individuals; Hacking/IT Incident; Network Server)

Feb 18, 2026

California Attorney General sample notice filed (sb24-618957); breach date listed as 10/19/2025

Feb 19, 2026

Massachusetts AG filing 2026-234 recorded (16 Massachusetts residents affected)

Feb 19, 2026

Plaintiffs' firms publicly open investigations (Strauss Borrelli, Gibbs Mura, Emery Reddy, others)

Data exposed

01

High-risk identity

Enables financial + identity theft

Per public coverage of letters sent to California residents: Social Security numbers and medical information are among the elements appearing in at least some letters

03

Contact & insurance

Phishing + targeted scams

First and last name (confirmed in NEMS notice for every recipient) Additional data elements per recipient (the NEMS notice uses a per-recipient variable list, so the exact combination differs by letter)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (publicly investigating; announced 2026-02-19) Bryson Harris Suciu & DeMay PLLC (publicly investigating; sponsoring ClassAction.org listing) EKSM - Ellzey, Kherkher, Sanford & Montgomery LLP (publicly investigating) The Lyon Firm (publicly investigating) Gibbs Mura LLP / gs-legal.com (publicly investigating) Emery Reddy PC (publicly investigating; announced 2026-02-20)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

North East Medical Services (NEMS) confirms a data security incident affecting 91,513 patients that originated on the network of its third-party managed hosting provider, UnitedLayer.

What happened

NEMS is a federally qualified health center (FQHC) headquartered at 1520 Stockton Street in San Francisco’s Chinatown, serving approximately 70,000 patients per year across 30+ clinic sites in San Francisco, Daly City, San Jose, and Las Vegas. The patient base is predominantly Asian-American and includes a high share of Medi-Cal and Medicare beneficiaries.

On October 19, 2025, NEMS detected potential unauthorized access to data held on the network of UnitedLayer, a private-cloud managed service provider headquartered in San Francisco. NEMS immediately engaged third-party forensic specialists. By December 17, 2025, NEMS’s review confirmed which individuals were potentially affected. NEMS filed with HHS OCR on December 18, 2025, disclosing 91,513 affected individuals under the “Hacking/IT Incident / Network Server” categories.

RansomHouse attribution (claimed, not confirmed by UnitedLayer): On November 3, 2025, the ransomware/extortion group RansomHouse added UnitedLayer to its dark-web leak site, claiming to have encrypted UnitedLayer’s data and providing evidence packs in support of the claim. The estimated attack date on the ransomware.live tracker is October 23, 2025 — four days after NEMS’s discovery date. UnitedLayer has not publicly confirmed RansomHouse’s claim, acknowledged the attack, or disclosed whether any ransom was demanded or paid. NEMS’s own notification letter does not name an attacker. Comparitech and BlackFog’s February 2026 State of Ransomware report both independently reported the RansomHouse claim. Comparitech noted the UnitedLayer breach ranked as “the fourth-largest breach on a US tech company in 2025.”

Timeline

  • October 19, 2025 — NEMS detects potential unauthorized access to data on UnitedLayer’s hosted network. UnitedLayer is NEMS’s third-party managed service provider. NEMS engages third-party forensic specialists.
  • October 23, 2025 — Estimated attack date per ransomware.live tracker.
  • November 3, 2025 — RansomHouse adds UnitedLayer to its dark-web leak site (claim unconfirmed by UnitedLayer).
  • December 17, 2025 — NEMS’s review of potentially impacted data completes; affected individuals identified.
  • December 18, 2025 — HHS Office for Civil Rights filing posted to the public breach portal: 91,513 individuals, Hacking/IT Incident, Network Server.
  • February 18, 2026 — California Attorney General sample-notice filing sb24-618957, with breach date listed as 10/19/2025.
  • February 19, 2026 — Massachusetts Attorney General filing 2026-234 recorded (16 Massachusetts residents affected; SSNs and medical records listed as potentially exposed).
  • Mid-February 2026 onward — Patient notification letters mailed (NEMS handles mailing through Cyberscout). Multiple plaintiffs’ firms publicly open investigations.

What was exposed

The NEMS notice letter (filed with the California AG and circulated in February 2026) confirms that every recipient’s letter discloses their first and last name in combination with a per-recipient list of additional data elements. The letter uses a variable placeholder, so the exact combination differs by individual.

Public coverage of letters delivered to California residents indicates the broader pool of potentially affected elements includes Social Security numbers and medical information, alongside names. The exact combination on your letter is what governs your own exposure. Read the specific elements listed in your individual notice.

The NEMS notice does not enumerate insurance, financial-account, or government-ID elements as a categorical list. The placeholder structure means a recipient cannot determine from public sources what was in their specific letter. Your physical notification letter is the canonical source for your exposure profile.

Sensitive-population context: FQHC serving Asian immigrant communities

NEMS is one of the largest community health centers in the United States targeting medically underserved Asian populations. NEMS is a federally qualified health center (FQHC) under the Health Center Program (42 U.S.C. § 254b), headquartered at 1520 Stockton Street in San Francisco’s Chinatown.

  • Approximately 70,000 patients per year, the majority of whom identify as Asian-American
  • Linguistically and culturally adapted services in Cantonese, Mandarin, Toishan, Vietnamese, Burmese, Korean, Spanish, and other languages
  • 30+ clinic and service-delivery sites across San Francisco (Chinatown, Portola, Visitacion Valley, Richmond, Tenderloin, Sunset), Daly City, San Jose, and Las Vegas
  • Accepts Medi-Cal, Medicare, Healthy Families, Healthy Kids, San Francisco Health Plan, Healthy San Francisco, and operates on a sliding fee scale

For this population, SSN and medical-record exposure carries risks that go beyond the standard identity-theft framing aimed at English-speaking, credit-active consumers:

  • Mixed-immigration-status families may face heightened concern about how exposed SSN or contact data could be misused. National Immigration Law Center (NILC), Asian Americans Advancing Justice - Asian Law Caucus, and California-based legal aid organizations are practical resources.
  • Medi-Cal enrollment fraud (claims billed under your member ID) can disrupt benefits eligibility. Watch your Medi-Cal Notice of Action and Explanation of Benefits statements.
  • Language access for the breach response itself matters. The NEMS dedicated hotline is staffed during U.S. business hours and the Cyberscout enrollment portal is online-only. Confirm whether translated materials are available rather than assuming nothing exists.
  • Phishing and scam-call risk is elevated. Elderly community members are common targets for follow-on “tech support” or “Medicare verification” calls in Cantonese, Mandarin, and Vietnamese leveraging the breach. NEMS will not ask for your SSN, password, or bank information by phone.

Class-action posture

As of early June 2026, no complaint has been publicly docketed in the Northern District of California or any other forum on behalf of NEMS patients. The DOJ press release that appears in some searches concerns a separate, unrelated Medi-Cal qui tam matter against NEMS, not this breach.

What is filed publicly: multiple plaintiffs’ firms have opened investigations and are soliciting affected individuals.

  • Strauss Borrelli PLLC (announced 2026-02-19)
  • Bryson Harris Suciu & DeMay PLLC (sponsoring the ClassAction.org listing)
  • EKSM (Ellzey, Kherkher, Sanford & Montgomery LLP)
  • The Lyon Firm
  • Gibbs Mura LLP (gs-legal.com)
  • Emery Reddy PC (announced 2026-02-20)

The typical pattern after an OCR filing of this size, particularly one involving a third-party vendor and SSN / medical exposure, is consolidated class-action filings within 60 to 90 days of letters reaching recipients. This page will be updated when a complaint is docketed.

What to do

  1. Read your specific NEMS notification letter carefully. The placeholder structure in the public version means the data elements that apply to you are listed only in your physical letter.
  2. Enroll in the offered credit monitoring through Cyberscout (a TransUnion company) using the unique code in your letter. Activation deadlines are typically 90 days from the letter date; check yours.
  3. Place free credit freezes at Equifax, Experian, and TransUnion. This is free, takes about ten minutes per bureau, and is the highest-leverage step against new-account identity theft if your SSN was in scope.
  4. File IRS Form 14039 (Identity Theft Affidavit) if your SSN appears on your letter, to flag your tax account against fraudulent return filing.
  5. If you are a Medi-Cal recipient, review your Medi-Cal Notice of Action statements for unfamiliar claims and call DHCS Member Services if you see anything unauthorized.
  6. If you are in a mixed-status family or are otherwise concerned about immigration-related downstream risk, NILC, CHIRLA, and Asian Americans Advancing Justice offer guidance specific to your situation.
  7. Call NEMS’s dedicated incident hotline (listed in your letter) with questions about your specific exposure, or write to NEMS at 1520 Stockton Street, San Francisco, CA 94133.
  8. Stop the ongoing flow of your FQHC data. HealthConsent files HIPAA restriction requests covering community health center, Medicaid managed care, and prescription network pathways.

Sources

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.