United Medical Doctors Discloses Data Breach Affecting Patients

United Medical Doctors, a large independent multi-specialty medical and surgical group headquartered in Murrieta, California, disclosed a data breach that may have exposed personal information belonging to certain current and former patients.

United Medical Doctors discovered the breach on March 31, 2026, and began notifying consumers on May 20, 2026. The company posted a notice of the data event on its website and stated it is also notifying appropriate governmental regulators about the incident. The total number of individuals affected has not been publicly disclosed.

An investigation found that an unauthorized user had gained access to the company's computer systems at varying times between Dec. 12, 2025, and March 31, 2026, according to the notification. This means the unauthorized access went undetected for roughly three and a half months before the company identified the suspicious activity on its network.

During that period, the unauthorized user accessed and may have acquired certain files stored within the company's digital environment. The company described this activity as "access to and/or acquisition of certain files," meaning the unauthorized user may have both viewed and taken data from the company's systems.

As of the notification date of May 20, 2026, the specific types of information involved in the breach were still unknown. United Medical Doctors stated it is actively reviewing the affected files to understand whether any sensitive information related to individuals may be contained in them.

Because this file review remains underway, the company has not yet confirmed what categories of personal data, financial details or protected health information may have been compromised in the incident.

United Medical Doctors' response

In its notification to consumers, United Medical Doctors stated that the confidentiality, privacy and security of information within its care is among the company's highest priorities. The company described itself as acting "quickly and diligently" to address the matter.

Along with its notification to affected individuals, the company provided detailed guidance to help them protect themselves from potential identity theft or fraud. The company encouraged these individuals to remain vigilant by reviewing account statements and monitoring credit reports for suspicious activity. The notice stated that the notification was not delayed by law enforcement.

As part of its guidance, the company included contact information for the three major credit reporting bureaus. Affected individuals can reach Equifax at 1-888-298-0045, Experian at 1-888-397-3742 and TransUnion at 1-833-799-5355. The notification explained that consumers have the right under federal law to place fraud alerts or credit freezes on their credit files at no charge.

The company also directed individuals to the Federal Trade Commission for additional identity theft resources, noting that the FTC can be reached at www.identitytheft.gov, by phone at 1-877-438-4338, or by mail at 600 Pennsylvania Ave. NW, Washington, D.C. 20580.

However, the company's notification did not include an offer of free credit monitoring or identity protection services for affected individuals. It also did not provide a dedicated call center or toll-free phone number for those with questions about the breach.