Imperial Beach Community Clinic email breach affects patients and staff

A San Diego area clinic disclosed unauthorized access to its email systems following a months-long incident.

What happened

Imperial Beach Community Clinic disclosed a data breach involving unauthorized access to its email environment, according to a filing with the California Attorney General dated January 6, 2026. The clinic said suspicious activity occurred between February 4, 2025, and May 2, 2025, with detection on April 15, 2025. An investigation later determined that an unauthorized party may have accessed and copied sensitive information stored in employee email accounts. The review of affected data concluded on December 30, 2025, and notification letters are being issued to potentially impacted individuals.

Going deeper

The clinic said the incident stemmed from unauthorized access rather than a systemwide outage or ransomware event. Once the activity was identified, Imperial Beach Community Clinic launched an internal review and engaged outside legal counsel and forensic specialists to determine the scope and exposure. Investigators concluded that certain patient and staff information may have been copied from email accounts during the exposure window. While no evidence of misuse has been identified, the length of the exposure period required broad notification under state and federal rules.

What was said

Imperial Beach Community Clinic said it moved quickly to secure its systems after identifying unauthorized access and is notifying patients as a precautionary step. In a notice posted on its website in January 2026, the clinic said it is providing notice “out of an abundance of caution,” adding that there is no evidence the incident has resulted in identity theft or fraud. The clinic said it is offering twelve months of single-bureau credit monitoring, credit reporting, and credit score services through Cyberscout, and advised affected individuals to monitor financial activity, place fraud alerts, and contact financial institutions if suspicious activity is detected.

In the know

Reporting from Information Security Media Group shows that email remains one of the most common weak points in healthcare breaches, affecting nearly 2.2 million people and accounting for over a quarter of all reported breaches. One of the largest cases involved United Seating and Mobility, also known as Numotion, which notified close to 500,000 individuals after attackers gained access to employees' inboxes. Phishing and social engineering continue to drive these incidents, particularly as healthcare organizations face constant operational pressure and attackers focus on exploiting routine human behavior rather than technical flaws.

The big picture

Email remains a common point of exposure for healthcare organizations. A Paubox review of federal breach data shows that in 2025, the U.S. Department of Health and Human Services logged 170 healthcare breaches tied to email access, impacting more than 2.5 million people. Phishing-related mailbox takeovers accounted for about 17% of incidents, affecting over 630,000 individuals, while vendor and business associate email compromises were the most common, accounting for 28% of reported cases. The figures reflect how often sensitive patient and staff data is stored in inboxes that may not be monitored as closely as core clinical systems.

FAQs

What type of breach occurred at Imperial Beach Community Clinic?

The incident involved unauthorized access to employee email accounts, with possible copying of stored information.

What information may have been exposed?

The clinic reported that medical information may have been involved. The exact data elements vary by individual.

Was ransomware involved?

No. The clinic described the incident as unauthorized email access rather than a ransomware or system encryption event.

Why are notifications required even without evidence of misuse?

Privacy laws require notification when protected health information may have been accessed by an unauthorized party, regardless of confirmed misuse.