Healthcare In Action Data Breach Exposes Information of Patients and Non-Patients

Healthcare In Action (HIA), a nonprofit medical group that provides healthcare services to individuals experiencing homelessness in California, disclosed a data breach that affected 1,143 people in the United States.

The breach began when an employee's login credentials were compromised, allowing an unauthorized party to access certain HIA systems between Jan. 28, 2026, and Jan. 30, 2026.

After identifying suspicious activity tied to the employee's email account, HIA disabled the user's access. The company then launched an internal investigation and brought in an independent third-party forensic firm to assess the nature and scope of the incident.

The forensic investigation confirmed that the compromised credentials had been used to gain unauthorized access. Following that determination, the company conducted a detailed review to identify what information was in the affected files and emails and to determine which individuals were impacted. The review was completed on March 20, 2026.

The types of information exposed varied by individual and included both personally identifiable information and protected health information.

For patients and clients, the exposed data included names, dates of birth, driver's license or state ID numbers, email addresses, phone numbers, ethnicity, housing application case numbers or HMIS numbers, health plan names, health plan member IDs, mailing or physical addresses, medical record numbers, diagnoses or conditions, dates of service, locations of service, treatment information, disability verification information, medications and Social Security numbers.

Non-patient community members were also affected, with compromised data types involving name, address and Social Security number.

The breach was reported to the U.S. Department of Health and Human Services on March 30, 2026. HIA additionally posted a notice on its website with details about the incident.

Healthcare In Action's response to the breach

Healthcare In Action is mailing notices to all individuals affected by the breach. The company has arranged through Experian IdentityWorks to provide complimentary credit monitoring and identity theft protection for one year to all impacted individuals.

Individuals who receive a notice will find a unique activation code and a deadline to enroll in these free services.

Individuals who have not received a mailed notice but believe they may have been impacted can call 833-918-1115 and reference engagement number B162552. The call center is available Monday through Friday from 6 a.m. to 6 p.m. PST, excluding major U.S. holidays.

Steps to take if your information was exposed

• Place a fraud alert or credit freeze with Equifax (1-800-525-6285), Experian (1-888-397-3742) and TransUnion (1-800-680-7289) to help prevent unauthorized accounts from being opened using stolen information.
• Review free credit reports at AnnualCreditReport.com for any unfamiliar accounts or inquiries that could be a sign of identity theft.
• Monitor health insurance statements carefully for any services, prescriptions or medical claims that were not authorized, since exposed medical information could be used for healthcare fraud.
• Be cautious of phishing attempts that reference Healthcare In Action or this data breach by name, as scammers may use stolen details to craft convincing emails, calls or text messages.
• Review financial account statements for unauthorized transactions and report suspicious activity to the appropriate financial institution right away.
• Report suspected identity theft to the Federal Trade Commission at ftc.gov/idtheft or by calling 1-877-438-4338 if any signs of fraud appear.