Stockton Cardiology Ransomware Data Breach: 645GB Exposed

Stockton Cardiology Medical Group, an independent cardiology practice serving the San Joaquin Valley in California, disclosed a data breach that occurred on Dec. 15, 2025. The total number of individuals affected has not been publicly reported.

Stockton Cardiology discovered the breach on Jan. 17, 2026, and began notifying affected individuals in March 2026.

The breach was disclosed to the California Attorney General on March 20, 2026.

What happened in the Stockton Cardiology Medical Group data breach

On Jan. 17, 2026, the company discovered that certain files maintained in the ordinary course of business and patient care may have been accessed and removed from its systems by an unauthorized individual. Stockton Cardiology began an investigation to determine the scope of the breach and to restore the integrity of its systems.

On Feb. 17, 2026, Stockton Cardiology learned that some of the compromised files had been publicly disclosed.

That same day, the ransomware group GENESIS posted a claim on the tor network stating it had obtained 645 gigabytes of data from the organization. The group's posting indicated the compromised data reportedly included healthcare data, personal data, financial data, user folders and operational data from the company's file server. GENESIS stated it intended to publish the data within five to six days.

The types of information exposed in the breach included patient names, mailing addresses, email addresses and billing records that may contain limited medical information associated with services provided.

The company's notification also noted that certain company business records may have been involved.

Stockton Cardiology Medical Group's response to the breach

According to its notification letter, Stockton Cardiology retained an independent security firm to assist in the investigation of the breach. The company also made several improvements to the security configuration of its information systems.

Those improvements included shutting down an older remote access service used by staff, adding multi-factor authentication to certain internal systems and resetting all passwords across its systems. The practice also began reviewing its policies for data retention so that fewer working files are stored.

Stockton Cardiology is offering affected individuals one year of complimentary credit monitoring services through its partner vendor, Epiq. The credit monitoring package includes one-bureau credit monitoring with alerts, a VantageScore 3.0 credit score and report, Social Security number monitoring, dark web monitoring and change of address monitoring.

Affected individuals can enroll by visiting the Epiq enrollment website and entering the activation code included in their notification letter. For help with enrollment, individuals can call Epiq directly at 866-675-2006, Monday through Friday from 9 a.m. to 5:30 p.m. ET.

For additional questions about the breach, affected individuals can contact Stockton Cardiology at 209-944-5750, Monday through Friday between 8 a.m. and 5 p.m., or by email at response@stocktoncardiology.com.

Steps to take if your information was exposed

• Place a fraud alert or credit freeze with Equifax, Experian and TransUnion to help prevent unauthorized accounts from being opened using stolen personal information.
• Request and review free credit reports at AnnualCreditReport.com, looking for any unfamiliar accounts or inquiries.
• Monitor bank and credit card statements closely for unauthorized charges, especially since billing records were among the types of information exposed.
• Review medical billing statements and Explanation of Benefits documents for any services not received, as limited medical information may have been part of the compromised files.
• Be cautious of phishing attempts that reference Stockton Cardiology Medical Group or this data breach by name, since exposed email and mailing addresses could be used to send convincing scam messages.