Stockton Cardiology Medical Group, an independent California cardiology practice with five locations across the San Joaquin Valley, has disclosed a ransomware breach originating from a December 2025 phishing incident. The GENESIS ransomware group has claimed responsibility, publishing 645 gigabytes of allegedly stolen data on a dark web leak site. The breach was formally reported to the California Attorney General on March 20, 2026.

What Happened

The intrusion chain began on December 15, 2025, when suspicious phishing emails reached employee inboxes at Stockton Cardiology. Staff deleted the messages, but the initial response proved insufficient: unauthorized access had already been established. The practice did not identify the full scope of the compromise until January 17, 2026, more than a month after the phishing event, when it discovered that files maintained for business and patient care purposes had been accessed and exfiltrated.

On February 17, 2026, the situation escalated publicly. The GENESIS ransomware group posted a claim on its dark web leak site asserting it had obtained 645 gigabytes of data from the practice's file servers. The practice confirmed on the same day that some of the compromised files had been publicly disclosed. Formal notification to the California Attorney General followed on March 20, 2026.

What Was Taken

GENESIS claims to have exfiltrated 645 gigabytes of data spanning healthcare, personal, financial, and operational records sourced from Stockton Cardiology's file servers. According to the practice's disclosure, the affected information includes:

• Patient names
• Mailing addresses and email addresses
• Billing records that may contain limited medical information
• Operational and business files

The number of affected patients and staff has not been publicly disclosed. Given the 645GB volume and the nature of a specialty cardiology practice, the dataset likely contains significant protected health information subject to HIPAA reporting obligations.

Why It Matters

This incident highlights a recurring pattern in healthcare breaches: the gap between initial compromise and detection regularly exceeds 30 days, giving attackers ample time to stage and exfiltrate large data volumes before defenders are aware. In this case, two full months elapsed between the phishing event and public disclosure, and the practice learned of the exfiltration only after GENESIS published the stolen files.

Independent specialty practices are an increasingly attractive target for ransomware operators. They hold the same regulated health data as major hospital systems but typically operate with smaller security teams, older remote access infrastructure, and less mature monitoring. GENESIS's willingness to leak 645GB publicly demonstrates the double-extortion model remains effective against mid-sized healthcare targets, and patients at affected practices face prolonged exposure to identity theft and medical fraud risk.

The Attack Technique

The breach followed a well-documented phishing-to-exfiltration pattern. Phishing emails were delivered to employee inboxes on December 15, 2025. While the messages were deleted as part of initial triage, the attackers had already achieved unauthorized access, likely through harvested credentials or malware delivered via the phishing payload.

Remediation steps taken by Stockton Cardiology point toward the likely entry vector: the practice shut down an older remote access service that staff had been using and added multi-factor authentication to certain internal systems. This suggests attackers leveraged phished credentials against a legacy remote access gateway that lacked MFA, pivoted to file servers, and staged data for exfiltration over several weeks before GENESIS operators extracted and published the archive.

What Organizations Should Do

1. Deploy phishing-resistant MFA across all remote access: Retire legacy VPN and remote access services that rely on single-factor authentication. Enforce FIDO2 or equivalent phishing-resistant MFA on every externally reachable system.
2. Shorten detection timelines with EDR and egress monitoring: Deploy endpoint detection and response across all endpoints, and monitor outbound data volumes to flag exfiltration of large file archives before attackers can complete staging.
3. Audit and decommission legacy access paths: Inventory every remote access service, including tools maintained by individual staff or departments. Decommission anything that cannot be brought under central policy and MFA enforcement.
4. Enforce aggressive data retention policies: The 645GB volume reflects years of accumulated working files. Implement retention limits that purge stale operational and billing data from live file servers on a defined schedule.
5. Train staff to report, not just delete, suspicious emails: Deletion does not remediate a click. Ensure employees report phishing attempts to IT immediately so that credentials can be rotated and sessions invalidated before attackers act.
6. Run tabletop exercises covering double extortion scenarios: Rehearse the specific scenario where a ransomware group posts stolen data publicly before the organization has confirmed a breach, including legal, PR, and regulatory notification workflows.

Sources: Stockton Cardiology reveals ransomware breach as GENESIS claims 645GB stolen