On June 12, 2025, South Coast Pediatrics, a healthcare provider in California, identified a cyberattack targeting its network server that potentially exposed the protected health information (PHI) of approximately 7,000 individuals.
What happened
The information that may have been compromised in the breach includes patient names, addresses, dates of birth, medical record numbers, diagnoses, and treatment codes or descriptions. Upon discovering the incident, South Coast Pediatrics immediately took steps to contain the threat, assess the scope of the compromise, and initiate recovery procedures. The organization reviewed and strengthened its existing security policies to prevent similar incidents in the future.
In compliance with legal requirements, South Coast Pediatrics notified the California Department of Public Health and the U.S. Department of Health and Human Services. The breach was formally reported on August 5, 2025, and patients were advised to monitor their accounts, review credit reports, and consider placing fraud alerts or security freezes to safeguard against potential identity theft and fraud.
What was said
According to the Notice of Security Incident, “On June 12, 2025, South Coast Pediatrics identified that a cyberattack occurred. We promptly took steps to contain the threat, assess the scope of compromise, and initiate recovery procedures.
Our review determined information related to certain individuals was present on the involved computers.”
Why it matters
Analysis of healthcare data breaches from 2010 to 2019 found that hacking and IT incidents constitute nearly 30% of all breaches, with a sharply increasing trend in recent years, particularly through attacks targeting email and network servers. Data shows that the average cost of a healthcare data breach in the U.S. is around $6.45 million, significantly higher than the overall average of $3.92 million, and in some cases reaching up to $15 million for breaches of roughly 25,575 records.
These incidents also trigger additional post-breach costs. One study, ‘Do hospital data breaches affect health information technology investment?’ observed a 66% increase in employed IT staff and a 57% increase in outsourced IT staff in hospitals that experienced breaches, reflecting extensive remediation needs. Even a breach involving ‘only’ 7,000 records can carry hefty direct costs, impose ongoing labor and operational burdens.
FAQs
What is considered a healthcare data breach?
A healthcare data breach occurs when PHI is accessed, disclosed, or stolen without authorization. PHI includes personal identifiers such as name, address, date of birth, medical record number, diagnosis, and treatment details.
How quickly must a healthcare provider report a breach?
Under HIPAA’s Breach Notification Rule, covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days from discovery. Breaches affecting more than 500 individuals must also be reported to the HHS and relevant state authorities within that same timeframe.
What are common causes of healthcare data breaches?
The leading causes include hacking/IT incidents (such as ransomware and phishing), unauthorized access by employees, theft or loss of devices, and improper disposal of records.
Kirsten Peremore
