Active breach tracker San Diego, California Disclosed June 6, 2025

Sharp Community Medical Group Data Breach 2025: 26,976 Affected via Episource Ransomware. What Was Stolen and What To Do

Sharp Community Medical Group filed a HIPAA breach notification with the HHS Office for Civil Rights on June 6, 2025, reporting 26,976 affected individuals. The underlying incident was the Episource ransomware attack that ran from January 27 to February 6, 2025. Here is what was exposed and what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 27, 2025

Unauthorized access to Episource network began (Sharp Community Medical Group data exposed via business associate)

Feb 6, 2025

Episource detected unusual activity and contained the intrusion

Apr 23, 2025

Episource notified Sharp HealthCare and Sharp Community Medical Group that SCMG patient data was involved

Apr 23, 2025

Breach detected

Jun 6, 2025

Sharp Community Medical Group filed HIPAA breach notification with HHS OCR and California Attorney General; individual letters mailed

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Medical record number Diagnoses and treatment information Prescription / medication data Test results

03

Contact & insurance

Phishing + targeted scams

Full name Mailing address, phone number, email address Health insurance information (plan name, member ID, group ID, payer ID) Treating provider names

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood Strauss Borrelli PLLC Siri & Glimstad LLP Srourian Law Firm, P.C.
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Sharp Community Medical Group, a San Diego independent physician association affiliated with Sharp HealthCare, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 6, 2025, reporting 26,976 affected individuals in a Hacking/IT Incident classified as a Network Server event. The underlying root cause was not an intrusion of Sharp Community Medical Group’s own systems; SCMG was a downstream victim of the Episource ransomware attack, in which a criminal actor maintained unauthorized access to the network of Episource (a HIPAA business associate owned by Optum / UnitedHealth Group) between January 27 and February 6, 2025, and copied data out of Episource’s systems during that ten-day window.

Timeline

  • January 27, 2025 — Unauthorized access to Episource’s network begins. SCMG patient data resident on Episource systems is in scope from this date forward.
  • February 6, 2025 — Episource detects unusual activity and contains the intrusion.
  • April 23, 2025 — Episource notifies its covered-entity clients, including Sharp HealthCare and Sharp Community Medical Group, that SCMG patient information was involved.
  • June 6, 2025 — Sharp Community Medical Group files its own HIPAA breach notification with HHS OCR (26,976 individuals) and with the California Attorney General. Individual notification letters begin going out to affected patients.

What was exposed

Per the Sharp HealthCare substitute notice and the Episource notification letter template filed with the California Attorney General, the data potentially copied for Sharp Community Medical Group patients includes:

  • Full name, mailing address, phone number, email address
  • Date of birth
  • Health insurance information, including plan name, member ID, group ID, and payer ID
  • Medical record numbers and treating provider names
  • Clinical content: diagnoses, prescribed medications, test results, and treatment information

The Sharp-specific notification states that Social Security numbers, driver’s license numbers, financial account numbers, and payment card information were not included in the data pulled for SCMG patients. Plaintiffs’ firms investigating the broader Episource breach have referenced SSN exposure in the underlying dataset; this reflects that Episource’s full breach population (6.7M people across many covered entities) is broader than the SCMG-specific cohort. Read your individual notification letter for the exact list of data elements pulled for your record.

What Sharp Community Medical Group is offering

Through Episource, affected individuals are being offered 24 months of complimentary credit monitoring and identity-theft protection via IDX (now part of ZeroFox). The enrollment code is contained in each individual notification letter.

  • IDX call center: (877) 786-0549, weekdays
  • Initial enrollment deadline cited in early letters: September 30, 2025. If your letter arrived later, the deadline on your specific letter applies.

Class actions and regulatory posture

The Sharp Community Medical Group filing flows into the broader In re Episource LLC Data Breach Litigation consolidated in the Central District of California (lead case Finke v. Episource, LLC, 2:25-cv-05330). Multiple plaintiffs’ firms have publicly opened investigations into SCMG patient claims, including Federman & Sherwood, Strauss Borrelli PLLC, Siri & Glimstad LLP, and the Srourian Law Firm. These investigations evaluate potential claims against both Episource (as the breached business associate) and Sharp Community Medical Group (as the covered entity responsible for safeguarding patient data and timely notification under HIPAA and the California Confidentiality of Medical Information Act).

The HHS OCR entry remains open as of this writing, with no public enforcement resolution. The California Attorney General filing was made on June 6, 2025.

What to do if you received a notification letter

This week:

  1. Enroll in the IDX credit monitoring using the code in your letter. Twenty-four months is the longer end of what is typically offered; use the full window.
  2. Place a free credit freeze at Equifax, Experian, and TransUnion. This is the single highest-leverage step against new-account identity fraud and is independent of whether you enroll in IDX.
  3. Review recent Explanation of Benefits statements from your health plan for services you did not receive. Medical identity theft surfaces in EOBs weeks or months after the fraud.
  4. Watch for a second letter. If you are also a Sharp HealthCare patient (not just SCMG), or a member of an Anthem, Wellcare, or other Episource-served plan, you may receive a separate notification covering a different data slice.

This month:

  1. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the demographic and insurance information exposed in this breach is not continuously re-shared and resold by other entities downstream.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.