A California-based cancer treatment practice, known as Beverly Hills Oncology Medical Group, recently reported a data breach that may have exposed an unknown number of patients’ protected health information (PHI) in February 2025.
Between February 7 and February 11, 2025, Beverly Hills Oncology Medical Group discovered unauthorized access to its internal computer systems. The organization immediately launched an investigation with the help of cybersecurity experts to determine the scope of the incident.
According to the Beverly Hills Oncology Medical Group notice filed with the California Attorney General’s Office, the investigation revealed that certain personal and health information may have been accessed or acquired. Potentially exposed data includes names, Social Security numbers, driver’s license or government identification numbers, financial account information, credit or debit card details, health insurance information, and medical details such as diagnoses, treatments, prescriptions, and other clinical data.
In its breach notification, Beverly Hills Oncology Medical Group stated, “Please accept our apologies that this incident occurred. We are committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information.”
According to the U.S. Department of Health and Human Services (HHS) Breach Portal, more than 500 healthcare data breaches were reported in the first half of 2025 alone, continuing a multi-year upward trend in healthcare cybersecurity incidents.
Sarah Varnell, manager at BARR Advisory, explains that “Healthcare organizations are high-value targets. They hold sensitive personal and medical data, and often rely on complex, legacy systems that weren’t built with modern security threats in mind. Unlike credit card information, protected health information (PHI) doesn't expire. It can be used to commit medical fraud, obtain prescriptions or treatments under false identities, or even blackmail individuals based on diagnoses or treatments.”
HIPAA’s Breach Notification Rule (45 CFR §§164.400–414) mandates that covered entities must notify both affected individuals and the U.S. Department of Health and Human Services (HHS) within 60 days of identifying a breach involving unsecured PHI.
If the Beverly Hills Oncology Medical Group incident was confirmed soon after discovery in February 2025, their notification delay raises compliance concerns with the breach notification rule.
Cyberattacks targeting healthcare providers continue to rise, with oncology and specialty practices often being high-value targets due to the sensitivity of their data. Breaches like the one at Beverly Hills Oncology Medical Group show why healthcare providers must use advanced HIPAA compliant solutions, like Paubox.
These solutions automatically encrypt emails, protecting the information during transmission and at rest. It also prevents unauthorized access that could lead to costly data breaches and potential HIPAA violations.
Read also: Enhancing oncology coordination with HIPAA compliant emails
Patients impacted by the Beverly Hills Oncology Medical Group breach should review financial statements, monitor credit reports, and report any suspicious activity. Additionally, affected individuals can use the dedicated and confidential toll-free response line for all questions at 855-291-2692.
HIPAA compliance means adhering to the regulations set by HIPAA to ensure the privacy, security, and availability of protected health information (PHI).
PHI stands for protected health information and includes any information in a medical record that can be used to identify an individual.
A breach occurs when an unauthorized party gains access, uses or discloses PHI without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.