City of Long Beach Data Breach 2025: 258,191 PHI Records Exposed in November 2023 Network Intrusion · $2.35M Settlement
A November 14, 2023 network intrusion at the City of Long Beach, California exposed personal data for 470,060 people, including protected health information for 258,191 individuals reported to HHS OCR in April 2025. A $2.35M class-action settlement, funded by city insurance carriers, pays roughly $5 per class member.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 14, 2023
City of Long Beach detects unauthorized third-party access to its network; multiple city systems taken offline
Nov 14, 2023
Attacker gained access
Mar 18, 2025
Third-party forensic investigation concludes — city confirms sensitive data was accessed or acquired during the November 2023 intrusion
Apr 14, 2025
Individual notification letters mailed; HIPAA breach reported to HHS OCR (258,191 PHI records); dedicated call center opened
Apr 14, 2025
Disclosed publicly
Jul 15, 2025
90-day notification call center closes
May 1, 2026
Consolidated class action settles for $2.35M funded by the city's insurance carriers (approximately $5 per class member across roughly 470,000 residents)
Nov 14, 2023
City of Long Beach detects unauthorized third-party access to its network; multiple city systems taken offline
Nov 14, 2023
Attacker gained access
Mar 18, 2025
Third-party forensic investigation concludes — city confirms sensitive data was accessed or acquired during the November 2023 intrusion
Apr 14, 2025
Individual notification letters mailed; HIPAA breach reported to HHS OCR (258,191 PHI records); dedicated call center opened
Apr 14, 2025
Disclosed publicly
Jul 15, 2025
90-day notification call center closes
May 1, 2026
Consolidated class action settles for $2.35M funded by the city's insurance carriers (approximately $5 per class member across roughly 470,000 residents)
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
On November 14, 2023, the City of Long Beach, California detected an unauthorized third party inside its network. The city took several systems offline in response while keeping emergency services online. After a forensic review that the city characterized as “extensive document-by-document,” investigators confirmed on March 18, 2025 that sensitive personal data had been accessed or acquired. Individual notification letters did not begin going out until April 14, 2025, when the city also filed its HIPAA breach report with the U.S. Department of Health and Human Services Office for Civil Rights. The OCR filing covers 258,191 individuals whose protected health information was implicated, drawn from a broader population of roughly 470,060 affected residents and city contacts notified across multiple states including Maine, Oregon, New Hampshire, Massachusetts, Texas, and California.
The City of Long Beach is a HIPAA-regulated entity through its Department of Health and Human Services, its public-safety EMS records, and its employee health plan, all of which sit on shared city network infrastructure. No ransomware group has publicly claimed the intrusion, and city officials have declined to detail the technical entry point, citing concern that doing so would expose still-extant vulnerabilities.
Timeline
- November 14, 2023 — Unauthorized third party detected on the City of Long Beach network. City systems are taken offline; the public website is unavailable while government email and phone systems remain operational. Emergency services continue uninterrupted.
- October 2024 — City posts an interim update: forensic experts continue working to identify specific individuals whose personal information was accessed or acquired; the scope determination remains in progress.
- March 18, 2025 — Third-party forensic experts confirm that personal data was accessed or acquired during the November 2023 intrusion. The city characterizes the file-by-file review as time-intensive and unprecedented in scope. The city simultaneously notifies law enforcement.
- April 14, 2025 — Individual notification letters begin going out via U.S. mail. The city files its HIPAA breach report with HHS OCR covering 258,191 PHI records. A dedicated call center and multilingual FAQ are launched.
- July 15, 2025 — The 90-day notification call center is closed after the prescribed notification period ends.
- August 2025 — City posts that no further public updates are anticipated.
- 2025–2026 — Multiple individual claims are consolidated into a single class action; the city’s insurance carriers fund a settlement.
- Spring 2026 — A $2.35 million class-action settlement is reached, paying approximately $5 per class member to a class of roughly 470,000 Long Beach residents. The Deputy City Attorney states the settlement is not an admission of liability.
What was exposed
Information confirmed accessed or acquired varies by individual but, across the affected population, includes:
- Name and date of birth
- Social Security number
- Driver’s license number
- Passport number
- Biometric information
- Medical information
- Health insurance information
- Taxpayer identification number
- Financial account information
- Credit and debit card numbers
The 258,191-record subset that the city reported to HHS OCR represents the individuals whose data triggered HIPAA’s breach-notification rule, which is a narrower population than the broader 470,060 affected residents notified under California and other state breach laws. City officials have publicly stated they have “no indication” that the stolen data has been used for fraud or identity theft, though plaintiffs in the resulting class action allege the opposite, including one plaintiff reporting a fraudulent $300 alcohol purchase at a 7-Eleven and a sharp rise in scam calls and emails after the breach.
What the city is offering
Residents whose Social Security numbers were exposed are being offered 12 months of complimentary credit monitoring and identity-theft protection services through Experian IdentityWorks. The vendor and duration are confirmed in the Maine Attorney General’s breach-notice filing and the sample notification letter filed with the California Attorney General. Enrollment instructions accompany the individual notification letter mailed beginning April 14, 2025.
Separately, eligible class members under the settlement receive a flat payment of approximately $5 from the $2.35 million settlement fund, which is paid entirely by the city’s insurance carriers rather than out of the general fund.
Class-action posture
A class action consolidated from several individual complaints reached a $2.35 million settlement in spring 2026. The settlement covers approximately 470,000 Long Beach residents who could potentially sue the city over the breach and is funded by the city’s commercial cyber-insurance carriers. The Deputy City Attorney’s office has characterized the settlement as a no-fault resolution and has continued to decline to identify the technical attack vector. The case name, docket number, and court were not disclosed in the public reporting reviewed for this page.
Plaintiff-side firm Ahdoot & Wolfson, P.C. publicly opened an investigation into the breach, citing potential violations of California consumer-protection and data-privacy laws.
What to do if you may be affected
- Freeze your credit with Equifax, Experian, and TransUnion. With Social Security numbers, driver’s license numbers, and passport numbers exposed, a security freeze is materially more protective than monitoring alone. It is free, takes about ten minutes per bureau, and is reversible.
- Enroll in the offered 12 months of Experian IdentityWorks credit monitoring if your notification letter includes an activation code. Even if you also freeze your credit, the monitoring service is worth activating; the code in your letter is single-use and the enrollment is free.
- Watch for medical identity theft. Because health insurance information and medical data were exposed, review every Explanation of Benefits and request a copy of your medical record from your insurer if you see services you did not receive.
- Be alert to targeted phishing and scam calls. Threat actors holding name, date of birth, Long Beach address, and partial financial data can craft convincing impersonations of the city, banks, or the IRS. Treat any unsolicited message referencing your city accounts, water bill, or Long Beach city services with skepticism, and call back on a number you look up independently.
- Keep an eye on the settlement. If you receive a settlement notice and remain a class member, claim your payment by the deadline stated on the notice. Do not pay any third party to file on your behalf.
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests so the medical information, health insurance records, and related PHI exposed in this breach are not continuously re-shared across insurers, provider networks, and health information exchanges. File a restriction request at no cost.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (258,191 affected, Hacking/IT Incident at Network Server, filed April 14, 2025).
- HIPAA Journal — City of Long Beach Notifies Individuals Affected by November 2023 Cyberattack — incident timeline, 470,060 total / 258,191 PHI split, credit-monitoring offer.
- City of Long Beach — Network Security Incident Updates — official city statements on notification mailings, call-center timeline, and protections offered.
- City of Long Beach — Official Statement Regarding a Network Security Incident — original disclosure that an unauthorized third party accessed city systems.
- The Record (Recorded Future News) — Nearly 500,000 impacted by 2023 cyberattack on Long Beach — independent press coverage of disclosure and protections.
- BankInfoSecurity — City of Long Beach Says at Least 260,000 Affected by Hack — trade-press summary of the OCR-reported figure.
- Long Beach Post — Thousands Eligible for Payments Under Data Breach Settlement — $2.35M settlement, $5 per class member, insurance-funded.
- Ahdoot & Wolfson, P.C. — City of Long Beach Data Breach Class Action Investigation — plaintiff-side investigation summary.
- Maine Attorney General — City of Long Beach Data Breach Notice — confirms Experian as monitoring vendor (12 months); breach discovered March 18, 2025; 26 Maine residents affected.
- California Attorney General — City of Long Beach Notification Letter (redacted sample) — official sample notice confirming Experian IdentityWorks enrollment instructions and March 18, 2025 discovery date.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — City of Long Beach Notifies Individuals Affected by November 2023 Cyberattack
- City of Long Beach — Network Security Incident Updates (official)
- City of Long Beach — Official Statement Regarding a Network Security Incident
- The Record (Recorded Future News) — Nearly 500,000 impacted by 2023 cyberattack on Long Beach, California
- BankInfoSecurity — City of Long Beach Says at Least 260,000 Affected by Hack
- Long Beach Post — Thousands Eligible for Payments Under Data Breach Settlement
- Ahdoot & Wolfson, P.C. — City of Long Beach Data Breach Class Action Investigation
- Maine Attorney General — City of Long Beach Data Breach Notice (Experian; 12 months; 26 Maine residents)
- California Attorney General — City of Long Beach Notification Letter (sample, redacted; confirms Experian IdentityWorks)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.