The California-based healthcare provider is notifying patients of a breach from over a year ago.
Palomar Health Medical Group (PHMG), on behalf of itself, Graybill Medical Group, Inc., and Pacific Accountable Care, LLC, is notifying impacted patients of a data breach that took place in 2024.
Although Palomar is now notifying patients, they have not yet officially disclosed the breach to the Department of Health and Human Services, so the number of impacted individuals remains unknown.
According to the posted report, the incident was first identified by PHMG on May 5th, 2024. After PHMG discovered suspicious activity on certain computer systems, they began an investigation that determined an unauthorized actor had accessed files between April 23rd and May 5th, 2024. Files may have been copied.
After the discovery, PHMG began a review of the data to determine who was affected and what information was accessed. As part of this review, PHMG also attempted to locate addresses for impacted individuals. The review was completed on September 4th, 2025. It is unclear when the notice was posted or when PHMG began notifying individuals.
The notice stated that impacted individuals may have had the following data accessed: names, addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, military identification numbers, passport information, financial account information, payment and health savings information, medical and treatment information, biometric information, health insurance information, email addresses and passwords, and usernames and passwords.
Data breaches of any size can have negative impacts on both patients and practices. The Paubox 2025 healthcare email security report states the average cost of a data breach in healthcare is $9.8 million. Even smaller healthcare providers can face harsh penalties; one California-based radiology provider was fined $5,000 by the Office of Civil Rights and also faced increased monitoring and compliance overhauls. Any breach can be damaging to patients and the HHS and OCR take every incident seriously, especially when many breaches are preventable with the right technology and training.
There are many factors that can delay a breach investigation, including what resources the healthcare facility has available. In this case, a significant amount of information was impacted for an unknown amount of people, which means PHMG may have had to crawl through thousands or even millions of various files. Outside of this, tracking down addresses and sending notices can be a time-intensive experience.
Yes, generally the more information the dark web has on an individual, the more likely they may be able to access accounts or commit credit or identity theft.