TL;DR: AltaMed Health Services (California's largest community health center network, serving nearly 300,000 patients annually) suffered a cybersecurity incident on December 14, 2025. Attackers accessed employee and patient data including Social Security numbers, medical records, dates of service, and payment information. AltaMed didn't start notifying patients until February 12, 2026, two months after the breach. Multiple law firms are investigating class action lawsuits. If you've received care at any of AltaMed's 46 Southern California locations, your data may be compromised.
What Happened
On December 14, 2025, AltaMed Health Services Corporation detected a "cybersecurity incident" that knocked out access to certain computer systems. According to the company, they immediately activated incident response protocols, secured their systems, and brought in cybersecurity experts [1].
That's the sanitized version. Here's what it means in plain English: someone got into their network and grabbed data.
Two months later, on February 12, 2026, AltaMed started sending notification letters. Employees learned their names, addresses, Social Security numbers, and compensation details were exposed. Patients learned their names, dates of medical services, and payment information may have been accessed [2][3].
Two months is a long time when your Social Security number is in a hacker's hands.
What Data Was Exposed
The breach exposed two categories of information:
Employee data:
- Names and addresses
- Social Security numbers
- Compensation details
Patient data:
- Names
- Dates of medical services
- Payment information
- Potentially other protected health information (PHI)
AltaMed hasn't disclosed exactly how many people were affected. A previous breach affecting the company (disclosed in June 2025 stemming from an August 2024 incident) impacted 4,530 individuals and exposed even more sensitive data including medical records, diagnoses, COVID-19 vaccination status, and prescription records [4]. The December 2025 breach could be larger.
Who AltaMed Serves
This isn't some random urgent care clinic. AltaMed is the largest independent Federally Qualified Health Center (FQHC) in California, and one of the largest in the country. Since 1969, they've provided healthcare to underserved communities across Southern California [5].
The numbers:
- Nearly 300,000 patients served annually
- 46 locations across Los Angeles and Orange Counties
- Over 2 million clinic visits per year plus 400,000 virtual visits
- 83% Hispanic/Latino patient population
- 97% of patients at or below the Federal Poverty Level
AltaMed provides primary care, pediatrics, OB/GYN, geriatrics, HIV/AIDS treatment, dental care, substance abuse treatment, and family planning. These are people who often don't have other healthcare options [5].
A breach at a community health center hits different than a breach at a private hospital network. The patients affected are disproportionately low-income, immigrants, and people without employer-sponsored insurance. They have fewer resources to monitor for identity theft and fraud.
The Two-Month Gap
The breach happened December 14, 2025. Notifications started February 12, 2026. That's 60 days.
California law requires notification "in the most expedient time possible and without unreasonable delay." HIPAA requires notification within 60 days of discovery. AltaMed appears to have squeezed right up against the deadline [6].
Why does the timing matter? Because every day between a breach and notification is a day attackers can use your data while you don't know to watch for fraud. Two months is enough time to:
- Open credit cards in your name
- File a fraudulent tax return
- Commit medical identity theft
- Sell your data on criminal marketplaces
By the time patients got their letters in mid-February, any damage may already have been done.
Not AltaMed's First Breach
Here's what makes this worse: AltaMed disclosed another data breach just eight months earlier.
In June 2025, AltaMed notified the California Attorney General of a breach stemming from an August 2024 incident. That breach exposed Social Security numbers, medical records, diagnoses, COVID-19 vaccination records, prescription data, and financial information for 4,530 patients [4].
Two breaches in 18 months. Same organization. Serving some of the most vulnerable patients in California.
When a healthcare provider gets breached twice in quick succession, it raises serious questions about whether the underlying security problems were actually fixed.
The Lawsuits Are Coming
Multiple law firms have announced investigations into the December 2025 breach:
- Lynch Carpenter LLP: Investigating claims, announced February 17, 2026 [7]
- Cole & Van Note: California data breach class action investigation [2]
- Strauss Borrelli PLLC: Investigating both the 2024 and 2025 breaches [3]
Affected individuals may be able to join a class action to recover compensation for loss of privacy, time spent dealing with the breach, out-of-pocket costs for credit monitoring, and other damages.
What You Should Do
If you've received care at any AltaMed location in Los Angeles or Orange County, assume your data may be compromised. Even if you haven't received a notification letter:
- Freeze your credit immediately. Call Equifax (800-349-9960), Experian (888-397-3742), and TransUnion (888-909-8872). Credit freezes are free and prevent anyone from opening new accounts in your name.
- Monitor your credit reports. Get free weekly reports from AnnualCreditReport.com and check for accounts you didn't open.
- Watch for medical identity theft. Request your medical records from AltaMed and check for services you didn't receive. Medical ID theft can affect your health insurance and future care.
- Set up an IRS Identity Protection PIN. If your SSN was exposed, get an IRS IP PIN to prevent fraudulent tax returns.
- Accept the free credit monitoring. AltaMed is offering identity protection services to affected individuals. Take them up on it. It's the least they can do.
- Document everything. Keep copies of any notification letters, credit monitoring enrollments, and time spent dealing with the breach. This documentation matters if you join a class action.
The Community Health Center Security Problem
AltaMed isn't alone. Community health centers across the country are under constant attack, and they often lack the security budgets of major hospital systems.
FQHCs serve over 30 million patients nationally, predominantly low-income, uninsured, and underserved populations. They're required to accept patients regardless of ability to pay. That mission is noble. But it also means thin margins and security investments that compete with direct patient care [5].
The result: safety-net providers become targets for attackers who know the data is valuable but the defenses may be weak.
We saw the same pattern with Conduent's breach of Medicaid data affecting 26 million Americans, one of the worst breaches of the year. Government contractors and healthcare providers serving vulnerable populations keep getting hit, and the people who can least afford identity theft bear the consequences.
What Needs to Change
Two breaches in 18 months means something is broken. AltaMed should:
- Disclose the full scope. How many patients and employees were affected? What data exactly was taken? The vague language in notification letters doesn't cut it.
- Explain what went wrong. Was this a phishing attack? A vulnerability? Insider access? Patients deserve to know.
- Detail the fixes. What security improvements have been made since December 2025? What about since August 2024?
- Notify faster. Waiting 60 days to notify may be technically legal, but it's not acceptable when SSNs are on the line.
California Attorney General Rob Bonta has been aggressive about healthcare data protection. This breach, affecting a major FQHC serving predominantly Latino and low-income communities, should be on his radar.
Sources
- Class Action U: AltaMed Health Services Corporation Data Breach Lawsuit (February 2026)
- Cole & Van Note: AltaMed Health Services Data Breach Investigation (February 13, 2026)
- ClassAction.org: AltaMed Health Services Data Breach Reported; Lawyers Investigating (February 2026)
- ClaimDepot: AltaMed Data Breach: SSNs and Protected Health Info Exposed
- AltaMed Health Services Official Website
- HIPAA Journal: December 2025 Healthcare Data Breach Report
- GlobeNewswire: AltaMed Data Breach Claims Investigated by Lynch Carpenter (February 17, 2026)
Published: February 18, 2026