Data breach at medical billing company impacts 7 healthcare organizations

What happened

La Perouse recently informed the California Attorney General of a data breach impacting at least seven healthcare providers. The Las Vegas, Nevada-based medical billing and coding management company is considered a business associate for these providers, but handles a trove of sensitive data related to patient services and billing, making it highly valuable on the black market.

According to their notice, issued on May 28th, 2026, to victims and enforcement agencies, the company first became aware of unauthorized access on July 8th, 2025, nearly one year ago. Information involved included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, patient identification and medical records, medical information, and health insurance information.

The healthcare providers who were impacted in the breach include:

• Beach Emergency Medical Associates
• Centinela Freeman Emergency Medical Associates
• Chino Emergency Medical Associates
• Hollywood Presbyterian Emergency Medical Associates
• Montclair Emergency Medical Associates
• Tarzana Emergency Medical Associates
• Temecula Valley Hospitalist Medical Group.

Going deeper

Adding a layer of complexity, La Perouse’s online notice stated the unauthorized access occurred at one of the company’s third-party billing platforms, meaning the incident is twice removed from the healthcare providers victims interact with. La Perouse did not name the billing platform that was accessed, but noted “there was no unauthorized access or impact to La Perouse’s own network environment.”

La Perouse also noted that once the files were accessed, they were copied. In response, the company determined their own systems were secure and worked with the billing platform to “ensure that any additional technical safeguards, enhanced security measures, and updated policies and procedures were implemented to mitigate against the risk of future issues.”

Why it matters

Data breaches at business associates are becoming increasingly common, with Paubox finding in their 2026 Email Security Report that approximately 28% of email breaches are related to business associates. A report from Healthcare Dive similarly found that breaches at business associates used by healthcare providers increased 22% between 2023 and 2024, with an upward trajectory.

Breaches at business associates are particularly troubling, because victims are often left feeling unsure of who to contact or how the breach even occurred in the first place.

With the incident at La Perouse’s, the breach notification was delayed nearly a year, likely because La Perouse had to coordinate with the company that was actually breached. With multiple different organizations involved, getting accurate information about how the breach took place and the potential consequences is more difficult. In this case, La Perouse seems to be handling breach notifications, but it’s unclear who would face legal action.

The big picture

The incident at La Perouse proves organizations always need to have clear business associate agreements, which outlines the vendor’s responsibilities and obligations regarding data security. In this case, the billing service La Perouse worked with should have also had a business associate agreement, since that company is also handling protected health information (PHI). However, if La Perouse did not disclose to the healthcare providers information about the third-party, a business agreement may not have existed.

FAQs

Is health insurance information valuable on the dark web?

Yes. Medical information, including insurance, can be used for medical identity theft, where criminals receive care or prescriptions under a stolen identity, leaving the victim with medical bills or inaccurate health records. Insurance information can also be used to file fake claims with real patient data, leading to revenue loss for providers and insurance companies.

Why isn’t La Perouse’s business associate providing the notices?

It’s not clear why La Perouse is handling the disclosures, but it’s possible that they are taking responsibility for the incident if they did not give healthcare providers clear notice that they were using the other vendor.