Stockton Cardiology Medical Group, an independent California cardiology practice operating five locations across the San Joaquin Valley, has confirmed a ransomware-linked data breach after the GENESIS extortion group published a claim on the dark web asserting it had exfiltrated 645 gigabytes of healthcare, personal, financial, and operational data. The intrusion traces back to a December 15, 2025 phishing email and was formally reported to the California Attorney General on March 20, 2026.

What Happened

On December 15, 2025, suspicious phishing emails were delivered to Stockton Cardiology employees and were subsequently deleted as part of the practice's initial response. Despite that deletion, the attackers had already established enough access to reach files maintained for business and patient care purposes. The practice did not discover the full extent of unauthorized access and file removal until January 17, 2026, more than a month after the initial phishing event. On February 17, 2026, Stockton Cardiology learned that stolen files had been published online when the GENESIS ransomware group posted a claim on a dark web leak site asserting possession of 645 gigabytes of the practice's data. Notification to the California Attorney General followed on March 20, 2026, with individual patient and staff notifications issued shortly thereafter.

What Was Taken

GENESIS claims to have exfiltrated 645 GB of data sourced from Stockton Cardiology's file servers. Confirmed categories of compromised information include patient names, mailing addresses, email addresses, and billing records that may contain limited medical information. The GENESIS leak post further claims the dataset contains healthcare records, personal identifiers, financial data, and internal operational files. The total number of affected patients and staff has not been publicly disclosed. Given the cardiology specialty, exposed billing and medical data likely references cardiac diagnoses, procedures, and insurance identifiers, elevating both clinical sensitivity and fraud exposure for victims.

Why It Matters

This incident illustrates a pattern increasingly common in independent specialty practices: an email-borne intrusion goes undetected long enough for attackers to stage and exfiltrate large volumes of working files before any security alert fires. The 63-day gap between initial compromise and internal detection, followed by public disclosure only after GENESIS leaked the data, highlights the limited monitoring and response maturity at many mid-size healthcare providers. Cardiology and other specialty clinics often retain extensive longitudinal patient records with limited SOC coverage, making them high-value, low-friction targets for extortion-focused actors. The breach also reinforces that legacy remote access services and the absence of MFA on internal systems remain primary footholds for ransomware affiliates in 2026.

The Attack Technique

Initial access was achieved via phishing emails delivered on December 15, 2025. Although recipients deleted the messages as suspicious, the attackers had already obtained the access needed to reach internal file servers. Post-compromise activity remained undetected for over a month, during which operators staged and exfiltrated hundreds of gigabytes of files. In its remediation statements, Stockton Cardiology confirmed it shut down an older remote access service that staff had been using, indicating that legacy remote access likely played a role in persistence or lateral movement. The practice also added multi-factor authentication to certain internal systems, implying MFA was not uniformly enforced at the time of compromise. GENESIS then pursued a leak-site extortion model, publishing the stolen data two months after initial access.

What Organizations Should Do

1. Enforce phishing-resistant MFA across all employee accounts, VPNs, remote access services, and administrative interfaces, with no exceptions for legacy systems.
2. Retire or segment legacy remote access services and replace them with modern ZTNA or identity-aware proxies that log and alert on anomalous session behavior.
3. Deploy endpoint detection and response (EDR) with 24/7 monitoring across clinical and administrative endpoints, and instrument file servers for unusual access volumes or outbound data transfers.
4. Implement data retention and minimization policies that limit the volume of working patient files resident on network file shares to what is operationally required.
5. Conduct phishing-resistant training plus simulated phishing exercises, and configure mail gateways to sandbox attachments and rewrite URLs for post-delivery detonation.
6. Develop and rehearse an incident response playbook that assumes post-phishing intrusion, including mandatory forensic triage of any endpoint that received a reported phishing email, not just deletion of the message.

Sources: Stockton Cardiology reveals ransomware breach as GENESIS claims 645GB stolen