What Just Happened in Your Backyard — And What Every Healthcare Practice in San Bernardino and Riverside Counties Needs to Do About It
A healthcare provider serving patients across San Bernardino, Riverside, and San Diego Counties suffered unauthorized network access on or around February 28, 2026 — and didn’t disclose it publicly until April 29th. As of this writing, the breach still hasn’t been reported to the California Attorney General’s office, potentially violating both federal and state notification requirements.
That’s not a headline from somewhere else. That’s your backyard.
The Two-Month Window Nobody Talks About
Here’s the part that should concern every healthcare practice in the region: the attack likely happened weeks before anyone knew it had.
That’s not unusual. It’s actually how most of these attacks work.
When an attacker gets inside a network, they don’t immediately announce themselves. They move slowly — carefully mapping out what’s there, what’s valuable, and where the data lives. They’re aware that security systems exist, and they don’t want to trigger any alarms. So they take their time. They work to expand their access quietly, and then they start pulling data out, usually as insurance in case the victim refuses to pay a ransom.
During those two months, nothing looks wrong from the outside. Systems are running. Staff are working. And unless someone is actively watching for unusual behavior — not just monitoring uptime, but actually analyzing what’s moving across the network — nobody knows it’s happening.
The only way to catch an attack in progress is with multiple overlapping layers of security: cloud security, edge protection, internal monitoring, and — critically — the human layer. A Managed SOC (Security Operations Center), MDR (Managed Detection and Response), application whitelisting, and Zero Trust frameworks aren’t optional extras for healthcare practices. They’re the difference between catching an intrusion and reading about it in the news two months later.
CISA’s cybersecurity best practices make this point clearly. Defense in depth isn’t a luxury — it’s the baseline.
What “Unauthorized Network Access” Usually Means in Plain English
The public statement in cases like this almost always says something vague like “unauthorized network access was detected.” What it rarely says is how it happened.
In the Inland Empire healthcare practices we work with, the real entry point is almost always email, a social media link, or a personal device connecting to the network. A phishing email that looked legitimate. A link clicked on a phone that’s also connected to the office Wi-Fi. Something human. Something preventable.
Here’s the bigger context that gets glossed over in breach announcements: healthcare settings — hospitals, doctor’s offices, dental practices — run on a lot of expensive technology. Equipment that costs significant money to purchase and more money to keep running. After that, there often isn’t much budget left for keeping security current, monitoring it properly, and making sure it’s actually working the way it should.
And employee training? It usually happens once a year if it happens at all. That’s not enough. Quarterly training at minimum is what actually moves the needle on human-layer security.
The Verizon Data Breach Investigations Report has documented for years that the human element remains the leading factor in breaches. That’s not going to change until practices treat training as ongoing, not a checkbox.
The Compliance Clock Is Already Running
The delay in reporting this breach to the California Attorney General is worth paying attention to — not because it’s necessarily intentional, but because of what it signals.
There are legitimate reasons an incident response timeline can stretch out. Cyber insurance carriers are involved. The FBI may be involved. Logs need to be preserved for forensic analysis. And the organization may have only recently confirmed the actual breach date, which affects when the notification clock officially starts.
But the risk of waiting is real. Under HIPAA, covered entities generally have 60 days from discovery to notify affected individuals and report to HHS. California has its own notification requirements on top of that. The HHS HIPAA breach portal tracks exactly who has — and hasn’t — reported. That delay can mean additional fines, regulatory scrutiny, and loss of patient trust that’s very hard to rebuild.
If your practice has an incident response plan, when did you last test it? If the honest answer is “we have one somewhere” or “we’re not sure we have one,” this is the moment to fix that.
FAQ
Does a breach at another healthcare provider automatically affect my practice?
Not automatically. The first step is understanding your relationship with that organization. Do you refer patients there? Do you transmit or share patient data with them? Do you have any business associate agreements in place? The answers to those questions determine your level of exposure. If you’re not sure, that’s worth finding out this week.
How would I know if my practice is currently being targeted?
Honestly, without the right tools in place, you probably wouldn’t know. Attackers move slowly and deliberately to avoid detection. Without a Managed SOC, MDR, or similar active monitoring, unusual behavior can go unnoticed for weeks or months. If you don’t have those layers in place, you’re relying on luck.
What are my HIPAA notification obligations if we do discover a breach?
Under HIPAA, you generally have 60 days from discovery to notify affected individuals, the Department of Health and Human Services, and — for breaches affecting 500 or more residents — local media. California adds its own requirements. The specifics depend on the size and nature of the breach, which is why having an incident response plan in place before something happens is so important.
What’s the most important thing to verify after reading about a breach like this?
Don’t panic — but do have a real conversation with your IT or managed services provider. Walk through what this type of attack looked like and how a similar attack would look against your specific environment. If your provider isn’t proactively bringing security recommendations to those conversations, that’s worth paying attention to.
What to Do This Week — Not Generic Advice, Specific to This Situation
This wasn’t a headline from somewhere across the country. A provider in your region was hit, and the details are still unfolding. Here’s what actually makes sense to do right now:
Have the conversation with your IT provider. Not a vague check-in — a real walkthrough of what this attack looked like and what your current protections would and wouldn’t have caught. If your provider isn’t initiating those conversations regularly on their own, that’s a signal.
Revisit anything you’ve been putting off. Most practices have at least one security recommendation that’s been sitting on a to-do list. A breach this close to home is a reasonable reason to move it up.
Check your incident response plan. If you have one, review it. If you don’t have one, create one. Know who you’d call, what you’d preserve, and what your notification timelines are before you need that information in a crisis.
Look at your employee training schedule. If your last security training was more than three months ago, schedule the next one. Quarterly is the standard that actually makes a difference.
The goal here isn’t fear. It’s awareness — and action while there’s still time to act.
If you want to walk through where your practice actually stands, we’re happy to do that with you. Start with a free assessment at swnet.com/free-assessment.
