Mission City Community Network, Inc. (MCCN), a California-based healthcare and social services provider, recently disclosed a data breach that may have exposed sensitive personal identifiable information (PII) and protected health information (PHI). While the incident reportedly occurred in early June, MCCN’s public notice was not posted until mid-October.
According to the MCCN breach notice, the company detected suspicious activity within its network around June 6, 2025. The investigation determined that an unauthorized party may have accessed or acquired sensitive information from MCCN’s systems.
However, the organization did not make the incident public until October 15, 2025, four months after the suspected breach date.
The notice confirms that MCCN determined an unauthorized party had accessed or acquired data within its systems. Still, it does not identify the types of information exposed. The timeline also leaves questions about how long MCCN took to confirm the extent of the incident and notify affected individuals.
MCCN stated that it is reviewing the affected data, notifying those impacted, and offering complimentary credit monitoring services once identification is complete.
The delay between breach occurrence and public notification is raising compliance questions. Under HIPAA’s Breach Notification Rule (45 CFR §§ 164.400–414), covered entities must notify affected individuals and the Department of Health and Human Services (HHS) no later than 60 days after discovering a breach involving unsecured PHI.
If MCCN became aware of suspicious activity in early June, the mid-October disclosure exceeds that 60-day window by over two months. Under the Breach Notification Rule, a breach is considered “discovered” when an organization knows, or should reasonably have known, that PHI was compromised.
Given MCCN’s confirmation of access at that time, the delay raises compliance concerns regarding whether notification occurred “without unreasonable delay,” as required under HIPAA.
“As soon as we became aware of the activity, we took immediate steps to secure the environment, implemented our incident response protocols, and engaged outside computer forensic experts to assist in our response and to investigate what occurred,” their public notice explains.
Furthermore, “The investigation determined that an unauthorized individual gained access to our systems for a limited period of time. The investigation also found that documents containing a limited amount of protected health information may have been copied from our network during the incident.”
Healthcare data breaches are governed by strict federal reporting requirements designed to promote transparency and patient protection. Under HIPAA:
Failure to meet these requirements can lead to Office for Civil Rights (OCR) investigations, civil monetary penalties, and reputational damage. The OCR has previously issued multimillion-dollar settlements for delayed notifications.
Read also:
Healthcare data breaches can take a long time to resolve. According to the 2025 report on What small healthcare practices get wrong about HIPAA and email security, the total duration for detection and containment averages at 10 months total. This extended period is composed of an average of 224 days to detect a breach and another 84 days to contain it in 2025, showing that threat actors often maintain access to sensitive systems for many months before being stopped.
Compounding this risk, "The longer it takes to spot a breach, the higher the cost to the organization,” given that the average cost of a data breach in healthcare is now estimated to be $11 million, the highest of any industry.
Slow breach responses can cause delayed breach notification, with patients’ PHI remaining exposed and organizational risk growing with every month of delay. Healthcare organizations must rapidly detect, contain, and disclose data breaches to limit financial and reputational harm.
Read also: How to respond to a suspected HIPAA breach
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
Yes. When personal and health information is accessed without authorization, there is an increased risk of identity theft, insurance fraud, and unauthorized use of medical records. Patients should monitor their accounts and take preventive measures to reduce potential harm.
Healthcare organizations are frequent targets for cyberattacks because PHI is highly valuable to malicious actors. In the first half of 2025 alone, 107 email-related incidents were reported, and the average cost per breach soared to $11 million, largely due to systemic security misconfigurations and an overreliance on user vigilance.