Palomar Health Breach Exposes Patient Data via Third‑Party Associate

Palomar Health Medical Group operates hospitals, clinics and urgent cares across northern San Diego and Southern California. On or around March 11, 2026, the organization learned of suspicious activity in a business associate’s hosted environment that contained certain PHMG data. PHMG notified the associate and launched an investigation, which found that PHMG data was accessed by an unauthorized actor while PHMG’s own systems were not impacted.

- Discovery date: on or around March 11, 2026. - Exposed information may include names, addresses, birth dates, Social Security numbers, payment card details, email addresses, usernames and passwords. - The breach originated in a third‑party associate’s environment; PHMG’s internal networks were reportedly unaffected. - The specific attack vector and threat actor have not been publicly disclosed. - Attorneys partnered with ClassAction.org are evaluating the feasibility of a class action lawsuit.

For patients, the exposure of Social Security numbers and payment card data raises risks of identity theft and financial fraud. Regulatory scrutiny from the U.S. Department of Health and Human Services is likely, given the breach involves protected health information. Financially, PHMG may face remediation costs, potential fines, and legal expenses if a class action proceeds. The incident underscores the growing risk posed by third‑party vendors in healthcare supply chains.

- Enforce multi‑factor authentication for all remote and third‑party access points. - Implement continuous monitoring of vendor networks for anomalous login attempts (MITRE ATT&CK T1078 – Valid Accounts). - Patch external‑facing VPNs and remote‑desktop services promptly; prioritize known vulnerabilities such as CVE‑2023‑28252 (Citrix ADC) and CVE‑2022‑22965 (Spring4Shell) if applicable. - Enforce least‑privilege principles and network segmentation to limit lateral movement from compromised vendor systems. - Review and update vendor contracts to require regular security assessments, breach notification timelines, and indemnification clauses. - Deploy endpoint detection and response (EDR) tools with behavioral analytics to detect credential‑based abuse.