North East Medical Services Data Breach 2025 (RansomHouse/UnitedLayer): 91,513 Patients at SF Bay Area FQHC Exposed. What To Do
North East Medical Services (NEMS), the San Francisco Bay Area FQHC that primarily serves Asian-American immigrant communities, disclosed a network intrusion at its third-party hosted managed service provider UnitedLayer. 91,513 individuals affected. Names, Social Security numbers, and medical information potentially exposed. Multiple plaintiffs' firms investigating. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 19, 2025
NEMS detects potential unauthorized access to data on UnitedLayer's hosted network
Oct 19, 2025
Date of unauthorized access per California AG filing
Nov 3, 2025
RansomHouse lists UnitedLayer on its dark-web leak site (estimated attack date October 23, 2025); UnitedLayer has not confirmed the claim
Dec 17, 2025
NEMS's review of potentially impacted data completes; affected individuals identified
Dec 18, 2025
HHS OCR portal submission (91,513 individuals; Hacking/IT Incident; Network Server)
Feb 18, 2026
California Attorney General sample notice filed (sb24-618957); breach date listed as 10/19/2025
Feb 19, 2026
Massachusetts AG filing 2026-234 recorded (16 Massachusetts residents affected)
Feb 19, 2026
Plaintiffs' firms publicly open investigations (Strauss Borrelli, Gibbs Mura, Emery Reddy, others)
Oct 19, 2025
NEMS detects potential unauthorized access to data on UnitedLayer's hosted network
Oct 19, 2025
Date of unauthorized access per California AG filing
Nov 3, 2025
RansomHouse lists UnitedLayer on its dark-web leak site (estimated attack date October 23, 2025); UnitedLayer has not confirmed the claim
Dec 17, 2025
NEMS's review of potentially impacted data completes; affected individuals identified
Dec 18, 2025
HHS OCR portal submission (91,513 individuals; Hacking/IT Incident; Network Server)
Feb 18, 2026
California Attorney General sample notice filed (sb24-618957); breach date listed as 10/19/2025
Feb 19, 2026
Massachusetts AG filing 2026-234 recorded (16 Massachusetts residents affected)
Feb 19, 2026
Plaintiffs' firms publicly open investigations (Strauss Borrelli, Gibbs Mura, Emery Reddy, others)
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
North East Medical Services (NEMS) confirms a data security incident affecting 91,513 patients that originated on the network of its third-party managed hosting provider, UnitedLayer.
What happened
NEMS is a federally qualified health center (FQHC) headquartered at 1520 Stockton Street in San Francisco’s Chinatown, serving approximately 70,000 patients per year across 30+ clinic sites in San Francisco, Daly City, San Jose, and Las Vegas. The patient base is predominantly Asian-American and includes a high share of Medi-Cal and Medicare beneficiaries.
On October 19, 2025, NEMS detected potential unauthorized access to data held on the network of UnitedLayer, a private-cloud managed service provider headquartered in San Francisco. NEMS immediately engaged third-party forensic specialists. By December 17, 2025, NEMS’s review confirmed which individuals were potentially affected. NEMS filed with HHS OCR on December 18, 2025, disclosing 91,513 affected individuals under the “Hacking/IT Incident / Network Server” categories.
RansomHouse attribution (claimed, not confirmed by UnitedLayer): On November 3, 2025, the ransomware/extortion group RansomHouse added UnitedLayer to its dark-web leak site, claiming to have encrypted UnitedLayer’s data and providing evidence packs in support of the claim. The estimated attack date on the ransomware.live tracker is October 23, 2025 — four days after NEMS’s discovery date. UnitedLayer has not publicly confirmed RansomHouse’s claim, acknowledged the attack, or disclosed whether any ransom was demanded or paid. NEMS’s own notification letter does not name an attacker. Comparitech and BlackFog’s February 2026 State of Ransomware report both independently reported the RansomHouse claim. Comparitech noted the UnitedLayer breach ranked as “the fourth-largest breach on a US tech company in 2025.”
Timeline
- October 19, 2025 — NEMS detects potential unauthorized access to data on UnitedLayer’s hosted network. UnitedLayer is NEMS’s third-party managed service provider. NEMS engages third-party forensic specialists.
- October 23, 2025 — Estimated attack date per ransomware.live tracker.
- November 3, 2025 — RansomHouse adds UnitedLayer to its dark-web leak site (claim unconfirmed by UnitedLayer).
- December 17, 2025 — NEMS’s review of potentially impacted data completes; affected individuals identified.
- December 18, 2025 — HHS Office for Civil Rights filing posted to the public breach portal: 91,513 individuals, Hacking/IT Incident, Network Server.
- February 18, 2026 — California Attorney General sample-notice filing sb24-618957, with breach date listed as 10/19/2025.
- February 19, 2026 — Massachusetts Attorney General filing 2026-234 recorded (16 Massachusetts residents affected; SSNs and medical records listed as potentially exposed).
- Mid-February 2026 onward — Patient notification letters mailed (NEMS handles mailing through Cyberscout). Multiple plaintiffs’ firms publicly open investigations.
What was exposed
The NEMS notice letter (filed with the California AG and circulated in February 2026) confirms that every recipient’s letter discloses their first and last name in combination with a per-recipient list of additional data elements. The letter uses a variable placeholder, so the exact combination differs by individual.
Public coverage of letters delivered to California residents indicates the broader pool of potentially affected elements includes Social Security numbers and medical information, alongside names. The exact combination on your letter is what governs your own exposure. Read the specific elements listed in your individual notice.
The NEMS notice does not enumerate insurance, financial-account, or government-ID elements as a categorical list. The placeholder structure means a recipient cannot determine from public sources what was in their specific letter. Your physical notification letter is the canonical source for your exposure profile.
Sensitive-population context: FQHC serving Asian immigrant communities
NEMS is one of the largest community health centers in the United States targeting medically underserved Asian populations. NEMS is a federally qualified health center (FQHC) under the Health Center Program (42 U.S.C. § 254b), headquartered at 1520 Stockton Street in San Francisco’s Chinatown.
- Approximately 70,000 patients per year, the majority of whom identify as Asian-American
- Linguistically and culturally adapted services in Cantonese, Mandarin, Toishan, Vietnamese, Burmese, Korean, Spanish, and other languages
- 30+ clinic and service-delivery sites across San Francisco (Chinatown, Portola, Visitacion Valley, Richmond, Tenderloin, Sunset), Daly City, San Jose, and Las Vegas
- Accepts Medi-Cal, Medicare, Healthy Families, Healthy Kids, San Francisco Health Plan, Healthy San Francisco, and operates on a sliding fee scale
For this population, SSN and medical-record exposure carries risks that go beyond the standard identity-theft framing aimed at English-speaking, credit-active consumers:
- Mixed-immigration-status families may face heightened concern about how exposed SSN or contact data could be misused. National Immigration Law Center (NILC), Asian Americans Advancing Justice - Asian Law Caucus, and California-based legal aid organizations are practical resources.
- Medi-Cal enrollment fraud (claims billed under your member ID) can disrupt benefits eligibility. Watch your Medi-Cal Notice of Action and Explanation of Benefits statements.
- Language access for the breach response itself matters. The NEMS dedicated hotline is staffed during U.S. business hours and the Cyberscout enrollment portal is online-only. Confirm whether translated materials are available rather than assuming nothing exists.
- Phishing and scam-call risk is elevated. Elderly community members are common targets for follow-on “tech support” or “Medicare verification” calls in Cantonese, Mandarin, and Vietnamese leveraging the breach. NEMS will not ask for your SSN, password, or bank information by phone.
Class-action posture
As of early June 2026, no complaint has been publicly docketed in the Northern District of California or any other forum on behalf of NEMS patients. The DOJ press release that appears in some searches concerns a separate, unrelated Medi-Cal qui tam matter against NEMS, not this breach.
What is filed publicly: multiple plaintiffs’ firms have opened investigations and are soliciting affected individuals.
- Strauss Borrelli PLLC (announced 2026-02-19)
- Bryson Harris Suciu & DeMay PLLC (sponsoring the ClassAction.org listing)
- EKSM (Ellzey, Kherkher, Sanford & Montgomery LLP)
- The Lyon Firm
- Gibbs Mura LLP (gs-legal.com)
- Emery Reddy PC (announced 2026-02-20)
The typical pattern after an OCR filing of this size, particularly one involving a third-party vendor and SSN / medical exposure, is consolidated class-action filings within 60 to 90 days of letters reaching recipients. This page will be updated when a complaint is docketed.
What to do
- Read your specific NEMS notification letter carefully. The placeholder structure in the public version means the data elements that apply to you are listed only in your physical letter.
- Enroll in the offered credit monitoring through Cyberscout (a TransUnion company) using the unique code in your letter. Activation deadlines are typically 90 days from the letter date; check yours.
- Place free credit freezes at Equifax, Experian, and TransUnion. This is free, takes about ten minutes per bureau, and is the highest-leverage step against new-account identity theft if your SSN was in scope.
- File IRS Form 14039 (Identity Theft Affidavit) if your SSN appears on your letter, to flag your tax account against fraudulent return filing.
- If you are a Medi-Cal recipient, review your Medi-Cal Notice of Action statements for unfamiliar claims and call DHCS Member Services if you see anything unauthorized.
- If you are in a mixed-status family or are otherwise concerned about immigration-related downstream risk, NILC, CHIRLA, and Asian Americans Advancing Justice offer guidance specific to your situation.
- Call NEMS’s dedicated incident hotline (listed in your letter) with questions about your specific exposure, or write to NEMS at 1520 Stockton Street, San Francisco, CA 94133.
- Stop the ongoing flow of your FQHC data. HealthConsent files HIPAA restriction requests covering community health center, Medicaid managed care, and prescription network pathways.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (91,513 affected; Hacking/IT Incident; Network Server; reported 2025-12-18).
- California AG: NEMS Sample Notice sb24-618957 — state regulatory filing; breach date 10/19/2025.
- Massachusetts AG: NEMS filing 2026-234 (February 2026) — state regulatory filing; 16 Massachusetts residents; SSNs and medical records cited.
- ClassAction.org: NEMS Notice Letter PDF (via Cyberscout) — primary-source consumer notification letter as circulated to California residents.
- NEMS Notice of Data Security Incident (November 6, 2025) — entity’s own notice page.
- ClassAction.org: NEMS February 2026 — investigation summary, key dates, data types; references Massachusetts AG filing.
- Comparitech: 91.5K patients affected following RansomHouse/UnitedLayer attack — trade press; RansomHouse claim, UnitedLayer leak-site listing, fourth-largest US tech-company breach of 2025.
- BlackFog: State of Ransomware February 2026 — independently corroborates RansomHouse claim and UnitedLayer encryption/evidence-pack detail.
- RedPacket Security: RansomHouse victim UnitedLayer (November 3, 2025) — secondary dark-web mirror; leak-site listing date November 3, 2025.
- Ransomware.live: UnitedLayer / RansomHouse entry — threat-intel tracker; discovered 2025-11-03 14:10 UTC; estimated attack date 2025-10-23.
- Strauss Borrelli PLLC — plaintiffs’ firm investigation page.
- Gibbs Mura LLP — confirms UnitedLayer’s role as the compromised hosted environment.
- The Lyon Firm — California-rights framing.
- EKSM — independent confirmation of names, SSNs, and medical data exposure.
- Emery Reddy PC: NEMS Data Breach Investigation — additional investigating firm (announced 2026-02-20).
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- California AG: NEMS Sample Notice (sb24-618957)
- ClassAction.org: NEMS Notice Letter PDF (via Cyberscout)
- NEMS Notice of Data Security Incident (November 6, 2025)
- ClassAction.org: NEMS February 2026
- Strauss Borrelli PLLC: NEMS Investigation
- Gibbs Mura LLP: NEMS / UnitedLayer Investigation
- The Lyon Firm: NEMS California Patient Rights
- EKSM: NEMS Active Case Page
- Comparitech: 91.5K patients affected following RansomHouse/UnitedLayer attack
- BlackFog: State of Ransomware February 2026 (NEMS/RansomHouse entry)
- RedPacket Security: RansomHouse victim UnitedLayer (November 3, 2025)
- Ransomware.live: UnitedLayer / RansomHouse entry (discovered 2025-11-03)
- Massachusetts AG: NEMS data breach notification 2026-234 (February 19, 2026)
- Emery Reddy PC: NEMS Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.