What Happened in the Imperial Beach Community Clinic Data Breach?
The Imperial Beach Community Clinic data breach involved unauthorized access to the clinic’s email environment. As a result, sensitive patient and staff information may have been copied by an outside party. IB Clinic, based in San Diego, filed a formal disclosure with the California Attorney General on Jan. 6, 2026, describing the incident in detail.
According to that filing, the unauthorized access began on Feb. 4, 2025, and continued until May 2, 2025. This means the intrusion persisted for nearly three months before anyone noticed it. The clinic detected unusual activity within its email systems on April 15, 2025, which triggered an urgent internal response.
Once the clinic discovered the suspicious activity, it moved quickly to secure its systems. IB Clinic engaged legal counsel and hired third-party forensic specialists to investigate the scope of the intrusion. Because email systems often contain years of stored patient communications, the investigation took considerable time to complete.
The review process to determine exactly what information was affected and which individuals were impacted did not conclude until Dec. 30, 2025. As a result, notification letters went out to affected individuals only after this lengthy forensic process wrapped up. The investigation confirmed that an unauthorized individual accessed and may have copied certain data stored in the clinic’s email accounts.
Who was affected?
The Imperial Beach Community Clinic data breach may affect both patients and staff members whose information was stored in the compromised email accounts. Because the incident involved email systems rather than a single database, the exposed records could include a wide range of communications sent to or from clinic staff.
The clinic has not publicly disclosed the total number of individuals affected by this breach. However, a separate disclosure filed with the State of Massachusetts confirms that at least one Massachusetts resident had medical information exposed. This detail suggests the breach’s impact extends beyond California, reaching patients or associates outside the clinic’s home state.
Given that IB Clinic serves the San Diego community, most affected individuals are likely California residents. Still, patients who moved, sought care while traveling, or had records shared across state lines could also be impacted. The clinic is notifying all potentially affected individuals directly through mailed letters.
What Information Was Potentially Exposed?
The exact categories of exposed information likely vary by individual, since the breach involved email accounts rather than a single structured database. However, the clinic has confirmed that medical information was among the data types compromised.
- Patient medical information
- Personal identifying details contained within clinic email communications
- Information belonging to both patients and staff members
Because medical information was involved, affected individuals face a heightened risk of medical identity theft. For example, someone could use stolen health details to submit fraudulent insurance claims or obtain prescription medications under another person’s name. This type of fraud can be difficult to detect until a victim reviews their medical records or insurance statements closely.
In addition, exposed personal details found in email communications could support broader identity theft schemes. Scammers often combine stolen data with information from other sources to open fraudulent accounts or file false tax returns. Therefore, even without financial account numbers being confirmed as exposed, affected individuals should still remain cautious about unexpected communications referencing their medical history.
What is the company doing?
Immediately after discovering the unusual activity, IB Clinic took steps to secure its systems and prevent any further unauthorized access. The clinic also retained cybersecurity experts to investigate the incident thoroughly and determine its full scope.
Following the completion of its investigation, the clinic began notifying all potentially affected individuals. Notably, the clinic is sending notifications out of an abundance of caution, even though it has not found evidence of actual or attempted misuse of the exposed information so far.
To support those affected, IB Clinic is offering complimentary services through Cyberscout, a TransUnion company that specializes in fraud assistance and remediation. These services include single bureau credit monitoring, a single bureau credit report, and single bureau credit score tracking for 12 months from enrollment. Affected individuals must enroll within 90 days of receiving their notification letter to take advantage of these protections.
The clinic has also provided general guidance encouraging individuals to monitor their credit reports and consider placing fraud alerts or security freezes. In addition, IB Clinic set up a dedicated assistance line for questions, staffed Monday through Friday from 8 a.m. to 8 p.m. Eastern Time.
What Should Affected Individuals Do?
Enroll in the Free Credit Monitoring Services
Affected individuals should sign up for the complimentary credit monitoring services offered through Cyberscout as soon as possible. This service can help detect suspicious activity on your credit file before it causes significant damage.
Because enrollment must happen within 90 days of receiving the notification letter, it’s important not to delay. Missing this window means losing access to a free protective service that could otherwise help catch fraud early.
Monitor Medical Records and Insurance Statements
Since medical information was exposed, affected individuals should review their health insurance statements and medical records carefully. Look for unfamiliar claims, unknown providers, or services you never received.
If you notice anything suspicious, contact your health insurance provider immediately to dispute the charge. Medical identity theft can sometimes take months to surface, so continued vigilance over the coming year is wise.
Consider a Fraud Alert or Credit Freeze
Placing a fraud alert or credit freeze with the three major credit bureaus adds an extra layer of protection against identity theft. A fraud alert requires creditors to verify your identity before opening new accounts in your name.
A credit freeze goes a step further by blocking most access to your credit file entirely. Although this option requires a bit more effort to lift when needed, it offers stronger protection for individuals concerned about long-term misuse of their information.
Stay Alert for Phishing Attempts
Because your information was involved in this breach, scammers may try to use it to craft convincing phishing emails or phone calls. Be cautious of any message claiming to be from IB Clinic, your insurer, or a credit monitoring service that asks for personal details.
Instead of clicking links in unexpected emails, contact organizations directly using verified phone numbers. This simple habit can prevent you from accidentally handing over sensitive information to a scammer posing as a trusted source.
Consult a Data Breach Attorney
If you received a notification letter from IB Clinic, it may be worth speaking with a data breach attorney about your legal options. An attorney can help you understand whether you qualify for compensation related to this incident.
Many attorneys offer free consultations for data breach cases, so there’s little downside to asking questions. This step can also help you determine whether joining a potential class action makes sense for your situation.
More Information
Official State Attorney General Notification
