A targeted phishing campaign led to unauthorized access to sensitive patient information at California Cancer Associates for Research and Excellence.
CCARE Fresno discovered on June 13, 2025, that a phishing attack had compromised employee email and SharePoint accounts over three days in December 2024. The incident resulted in unauthorized access to files containing both personal and medical information. The breach was officially reported to the California Attorney General’s Office on June 27.
The attackers used phishing techniques to gain access to a small number of employee credentials between December 13 and December 16, 2024. Although the apparent motive was to launch further phishing attacks, a subsequent investigation revealed that sensitive data was exposed in the process.
The compromised information included names, addresses, dates of birth, Social Security numbers, financial account details, and a wide range of protected health information (PHI). PHI exposed in the breach included medical diagnoses, lab results, medications, treatment records, insurance and claims data, provider details, and treatment dates.
While no misuse of the data has been confirmed to date, the exposure of both personally identifiable information (PII) and PHI increases the risk of identity theft and medical fraud.
CCARE Fresno stated that they acted quickly to secure compromised accounts and launched a full investigation in partnership with cybersecurity experts. The organization has implemented enhanced staff training to reduce the likelihood of similar phishing incidents in the future.
Affected individuals were offered free enrollment in identity protection services through Epiq Privacy Solutions, which includes credit monitoring, identity theft insurance, and dark web scanning. Support is available via a dedicated call center, and further instructions have been shared in personalized notification letters.
The breach reflects the ongoing risk phishing poses to healthcare organizations by targeting human behavior rather than technical systems. Even when access is limited, exposure can be significant if medical or financial records are involved. Incidents like this point to the need for regular staff training, layered security controls, and timely response efforts to reduce the impact of future attacks.
PII refers to personally identifiable information like names and Social Security numbers, while PHI includes medical data tied to a specific individual, such as diagnoses, treatment details, or insurance records. When both are exposed, the risk of harm is significantly higher.
Phishing typically involves tricking employees into revealing login credentials or clicking on malicious links. Once an attacker has access, they can use that account to retrieve internal data or launch broader attacks within the organization.
Breaches often require detailed forensic investigations to understand what data was accessed and who was affected. In this case, the review was completed before the incident was reported to regulators and impacted individuals.
When both types of data are exposed, it creates opportunities for identity theft, fraudulent insurance claims, and unauthorized access to medical or financial accounts, making recovery more complex and prolonged.
Credit and identity monitoring services are helpful but not foolproof. Individuals should remain proactive, review financial statements, set up fraud alerts, and stay informed of any suspicious activity across accounts.