Personalis Data Breach 2026: 650 Cancer Genomics Patients Exposed via Email Compromise. VA Million Veteran Program Provider. What To Do
Personalis, Inc. (NASDAQ: PSNL), a publicly-traded cancer genomics company and sole sequencing provider to the VA Million Veteran Program, disclosed an HHS OCR breach for 650 individuals via email compromise in February 2026. Genomic data exposure carries lifetime implications for blood relatives. Specific PHI categories and remediation not publicly itemized. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 4, 2026
HHS OCR filing (other dates not publicly disclosed)
Feb 4, 2026
Attacker gained access
Feb 4, 2026
Breach detected
Feb 4, 2026
HHS OCR filing (other dates not publicly disclosed)
Feb 4, 2026
Attacker gained access
Feb 4, 2026
Breach detected
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Personalis, Inc. (NASDAQ: PSNL) is a publicly-traded cancer genomics company headquartered in Fremont, California. Core products include NeXT Personal (an ultrasensitive circulating tumor DNA / minimal residual disease test) and tumor / immune profiling. Personalis is the sole sequencing provider to the VA Million Veteran Program (MVP) — one of the largest genomic databases in the world.
Personalis filed with HHS OCR on February 4, 2026 — Hacking/IT Incident at Email — confirming 650 affected individuals. Specific incident timeline, threat actor, and PHI categories have not been publicly disclosed beyond plaintiff-firm characterizations.
The “Email” location code is consistent with business email compromise (BEC) — phishing or credential intrusion of one or more employee mailboxes. No ransomware group has claimed responsibility; no dark-web leak-site listing has been observed.
Why a small genomic breach carries outsized risk
Personalis’ email correspondence environment likely contains:
- Oncologist orders for genetic testing
- NeXT Personal test reports as PDF attachments
- Patient and clinician correspondence about results
- Tumor profiling reports
Raw FASTQ / VCF genomic sequence files almost certainly are NOT in scope — those live in segregated laboratory information systems, not email. But genomic test report PDFs attached to email are plausibly in scope, and those reports identify specific gene variants and cancer mutations.
Three risks make this breach uniquely severe even at 650 individuals:
- Genomic information is immutable — unlike SSNs that can be reissued, genetic data cannot be changed.
- Family implication — your genomic data partly describes your blood relatives. They have an implicit privacy interest but no consent role in your medical records.
- VA / Million Veteran Program ambiguity — Personalis’ MVP relationship means the affected population could include veterans. This is not publicly confirmed — the small affected count (650) more likely reflects commercial-clinical email correspondents than the MVP cohort, but the question is open.
What was potentially exposed
Per plaintiff-firm aggregations (not entity-confirmed):
- Full name, addresses
- Date of birth, contact details
- Social Security number
- Government IDs
- Medical information
- Financial information
- Potentially medical or genetic data related to Personalis’ cancer genomics and sequencing services
If you receive a Personalis notification letter, the letter will list the specific data elements involved in your case.
What Personalis is offering
No publicly available specifics on credit monitoring vendor, duration, or call center vendor. Plaintiff-firm pages reference generic “credit monitoring or identity protection services that may be offered” but this is not a confirmed Personalis offering.
Read your specific notification letter for the offered remediation and activation details.
What to do
- Read your specific notification letter to confirm what data elements were involved and what monitoring is offered.
- Place free credit freezes at Equifax, Experian, TransUnion if SSN exposed.
- If your NeXT Personal or tumor-profiling report was potentially exposed, document the breach in case the specific gene-variant data surfaces in future contexts (insurance underwriting, employment background checks).
- Inform blood relatives — your genomic data partly describes their genetic risk. They may want to be aware that data linked to your medical history is potentially in circulation.
- If you are a VA Million Veteran Program participant, contact the VA directly to ask whether your sequencing data is implicated.
- Stop the ongoing flow of your genomic data. HealthConsent files HIPAA restriction requests covering molecular diagnostic and genomic sequencing pathways.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- ClaimDepot: Personalis 2026 Incident Summary
- ClaimDepot: Personalis Lawsuit Investigation
- The Lyon Firm: Personalis California Legal Rights
- Morgan & Morgan Data Breach Brief — Week of Feb 25, 2026
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.