CityHealth Data Breach Exposes Medical Information for 65,000 Patients

CityHealth, a family-owned medical corporation operating urgent care and dermatology clinics in Oakland and San Leandro, California, disclosed a data breach that affected approximately 65,000 individuals in the United States.

CityHealth determined that an unauthorized individual had accessed its electronic medical records platform, a system called DrChrono.

The unauthorized access occurred on two separate dates: March 2, 2026, and March 11, 2026, and was carried out using credentials that were not authorized by CityHealth but by a third-party account. The individual involved was identified as a former business counterparty whose access to CityHealth's systems had been previously terminated.

The information compromised included patient names, the names of patients' insurance companies, addresses, dates of birth, contact information, demographic information, insurance information, medical treatment and procedure information, internal billing or financial data associated with patient accounts, and procedure codes connected with services they received.

Notably, the company explicitly stated that dates of birth, contact information and Social Security numbers were not included in the breach.

The breach was disclosed to the California Attorney General and the U.S. Department of Health and Human Services on April 14, 2026. The company also posted a notice on its website with details about the incident.

CityHealth's response to the breach

Based on the company's notifications, CityHealth did not indicate that it is offering free credit monitoring or identity protection services to affected individuals. The notification letter did recommend that recipients take certain precautionary steps on their own, such as monitoring account statements and reviewing credit reports.

CityHealth established a dedicated response line for individuals who have questions about the incident. Affected individuals may reach the company by phone at 800-283-0817, by email at yourprivacy@cityhealth.com, or by mail at CityHealth, Attn: Privacy Office, 201 Dolores Ave., San Leandro, CA 94577.

The dedicated response line will be available during regular business hours for at least 90 days following the date of the notice.

Steps to take if your information was exposed

• Monitor Explanation of Benefits statements from health insurance providers and review medical records for any services or procedures not received, as insurance and medical procedure information was involved in this breach.
• Review financial account statements regularly for any unfamiliar or suspicious charges, especially if billing or financial data may have been exposed.
• Request free credit reports at AnnualCreditReport.com from each of the three major credit bureaus (Equifax, Experian and TransUnion) and check for any accounts or inquiries that seem unfamiliar.
• Place a fraud alert with one of the three major credit bureaus to add an extra layer of protection against unauthorized credit activity.
• Be cautious of phishing attempts that reference CityHealth or this data breach by name, and avoid clicking links or sharing personal information in unsolicited emails, calls or text messages.
• Report suspicious activity to health care providers, insurers or financial institutions promptly if any unusual billing, claims or medical records activity is noticed.