Palomar Health Medical Group Data Breach Exposes Social Security Numbers & PHI

Between April 23, 2024, and May 5, 2024, Arch Health Partners Inc. d/b/a Palomar Health Medical Group (PHMG) experienced a major data breach affecting its computer systems. PHMG discovered the suspicious activity on certain computer systems within its network on May 5, 2024, the last day of unauthorized access.

An investigation revealed that an unauthorized actor had gained access to specific files and may have copied them during a window of nearly two weeks. The breach was not limited to a single location or type of patient record; rather, it spanned multiple locations and potentially impacted a broad spectrum of current and former patients.

The review completed on Sept. 4, 2025, determined that highly sensitive information was exposed. The types of data compromised vary by individual but include both personally identifiable information (PII) and protected health information (PHI).

Exposed data may include: name, address, date of birth, Social Security number, driver’s license number, state identification number, military identification number, passport number, U.S. alien registration number, financial account information, payment card information, health savings account information, medical history, diagnostic and treatment information, biometric data, medical record number, Medicare/Medicaid identification number, patient account number, health insurance information, email address and password, and username and password.

This breach is particularly severe due to the breadth and sensitivity of the information involved. Not only were financial and government-issued identifiers exposed, but also detailed medical histories and credentials that could be used for identity theft or medical fraud. The breach affected at least 374 individuals in Massachusetts, and likely thousands more across other states.

The data breach was disclosed to the Massachusetts Attorney General's office and the California Attorney General on Oct. 15, 2025. The medical practice began notifying affected patients by mail on the same day.

Further details, including the official notice to consumers, are available on the PHMG data breach notice page.

Palomar Health Medical Group's response

To support those affected, PHMG is offering complimentary credit monitoring and identity restoration services for an extended period through Experian. Impacted individuals have been provided with instructions on how to enroll in these services, which include daily credit monitoring, identity restoration assistance, and $1 million in identity theft insurance.

PHMG is also encouraging all potentially affected individuals to remain vigilant by reviewing account statements, explanation of benefits, and credit reports for suspicious activity over the next 12 to 24 months.

Given the nature of the data exposed, including Social Security numbers, medical information, and financial details, individuals are strongly advised to:

• Enroll in the free credit monitoring and identity restoration services provided by PHMG
• Place a fraud alert or credit freeze on their credit files with the three major credit bureaus (Equifax, Experian, and TransUnion)
• Monitor all financial and health accounts for unauthorized activity
• Report any suspected identity theft to law enforcement and the Federal Trade Commission