Stockton Cardiology reveals ransomware breach as GENESIS claims 645GB stolen

A California cardiology practice is notifying patients after a phishing email in December 2025 led to a data breach that was not publicly confirmed until a ransomware group posted the stolen data online two months later.

What happened

Stockton Cardiology Medical Group, an independent cardiology practice with five locations across the San Joaquin Valley in California, has disclosed a cybersecurity incident affecting an undisclosed number of patients and staff. According to Becker's ASC, the practice discovered on January 17, 2026, that certain files maintained for business and patient care purposes may have been accessed and removed by an unauthorized individual. The incident traces back to December 15, 2025, when suspicious phishing emails were sent to employees and subsequently deleted. On February 17, 2026, the practice learned that some of the compromised files had already been publicly disclosed. That same day, a ransomware group known as GENESIS posted a claim on a dark web network stating it had obtained 645 gigabytes of data, including healthcare, personal, financial, and operational data from the practice's file servers. The breach was formally reported to the California Attorney General on March 20, 2026. The types of information involved include patient names, mailing and email addresses, and billing records that may contain limited medical information.

Going deeper

The breach followed a pattern common to phishing-initiated intrusions: an email reached employee inboxes, was deleted as part of the practice's initial response, but had already enabled unauthorized access to files that were later exfiltrated. The practice did not detect the full extent of the file access until January 17, more than a month after the initial phishing event, and did not learn that stolen files had been published online until February 17, when GENESIS made its dark web claim public. In response, Stockton Cardiology shut down an older remote access service that staff had been using, added multi-factor authentication to certain internal systems, reset all passwords across its systems, and began reviewing its data retention policies to reduce the volume of working files stored on its network. The practice engaged an independent security firm to assist with the investigation.

In the know

The Stockton Cardiology breach shows that is becoming more common in independent cardiology and specialty practices for an initial email-based intrusion goes undetected long enough for attackers to exfiltrate large volumes of data before encryption or a dark web posting reveals the full scope of what occurred. According to Becker's Healthcare, a separate Stockton-area cardiology institution, Dameron Hospital, agreed to a $650,000 class action settlement in 2025 following a 2023 ransomware attack that potentially exposed data belonging to hundreds of thousands of patients. The proximity of two ransomware incidents affecting cardiology providers in the same California region proves that attackers do not confine their targeting to large systems, and that specialty practices serving defined patient populations face the same ransomware threat environment as major health systems.

The big picture

Independent cardiology practices occupy a profile that makes them structurally attractive targets for ransomware operators: they hold detailed cardiac health records and billing data for patients with serious chronic conditions, operate with smaller IT teams than hospital systems, and often rely on legacy remote access tools and default platform security settings that can be exploited through phishing. According to Paubox's What Small Healthcare Practices Get Wrong About HIPAA and Email Security report, phishing is the leading cause of healthcare breaches, with over 70 percent of healthcare data breaches originating from phishing attacks as of 2024. The same report found that approximately 50 percent of small and midsize healthcare organizations lack anti-phishing controls beyond default spam filters, and that nearly all have not implemented secure email transfer protocols that would reduce their exposure. The Stockton Cardiology breach began with a phishing email that employees deleted, however deleting the message did not prevent the access that had already been established, a limitation that default-only security configurations cannot address after the fact.

FAQs

What is the GENESIS ransomware group?

GENESIS is a ransomware group that operates using a double extortion model, exfiltrating data before threatening to publish it on a dark web leak site if payment is not made. The group claimed 645 gigabytes of data from Stockton Cardiology and indicated it intended to publish the data within days of its February 17, 2026, posting.

How did a phishing email lead to a data breach even after employees deleted it?

Phishing emails can deliver malicious code or credential theft mechanisms that operate at the point of clicking or loading, before the email is deleted. Once an attacker has established access through a phishing email, deleting the message does not terminate the access that was already gained. In this incident, the initial phishing event in December 2025 enabled file access that was not detected until January 2026.

Why did the practice disable its remote access service after the breach?

Older remote access services often lack modern authentication controls, such as multi-factor authentication, and may use outdated protocols that are easier for attackers to exploit once they have initial network access. Shutting down the service and replacing it with more secure access methods reduces the risk that a similar intrusion could establish or maintain persistent access in the future.