The hospital has notified patients and the Maine Attorney General, but has not yet reported the incident to the Department of Health and Human Services (HHS).
Watsonville Community Hospital (WCH) in Watsonville, California, recently reported a data breach to the Attorney General of Maine. As part of their report, WCH noted that the breach occurred on November 25th, 2024, but wasn’t discovered until September 22nd, 2025.
A notice was also published to WCH’s website on October 15th, which stated that the incident was still under investigation. WCH stated that as soon as they became aware of suspicious activity, they began investigating the incident and determined that their network had been accessed between November 25th, 2024 and November 30th, 2024.
Their cyber team also conducted a review of the impacted files, which was completed on September 22nd, 2025. The review determined that the following patient information may have been accessed: names, addresses, medical record numbers, Social Security numbers, dates of birth, tax ID numbers, passport numbers, financial account information, payment card information, access credentials, birth certificates, treatment information, prescription information, and health insurance information.
WCH said, “As part of our ongoing commitment to information privacy and security, we reviewed and enhanced our technical, administrative, and physical safeguards, policies, and procedures to further secure the information on our systems.” They have also notified the FBI.
WCH added that they remain committed to “complying with all state and federal requirements and maintaining timely and transparent communication within our community.”
The incident shows how information about breaches can sometimes be limited, especially when the incident goes unnoticed for a long period of time, or if it goes unreported to federal agencies. Individuals who have, for instance, changed addresses, may not know that their data has been impacted. Awareness of a data breach is crucial, as it ensures individuals can take the proper steps to keep their identity secure, which may include active monitoring or using a threat protection service.
Ultimately, an organization can help protect patients by keeping their data as secure as possible, actively monitoring their network for suspicious activity, and notifying individuals and governing bodies as quickly as possible following a breach.
Some organizations may wait to finish investigating before reporting a data breach to the HHS. The HHS also only requires a breach notice within 60 days if more than 500 individuals have been impacted; if less have been impacted, we may not see the breach notification.
Different states have different reporting requirements. In Maine, if a Maine resident is impacted by the breach, the Attorney General must be notified, even if, as in this case, only one Maine resident was affected.