Two class action law firms specializing in data breaches, Shamis & Gentile, P.A., and Strauss Borrelli PLLC, have announced they are looking into a recent incident at Vibra Hospital of Sacramento that resulted in the exposure of personally identifiable information (PII) and protected health information (PHI). This compromised information could potentially be used in fraudulent activities or identity theft schemes. Anyone who was impacted by this breach may be entitled to compensation, which could include reimbursements for out-of-pocket expenses, time spent addressing the breach, or payment for emotional distress.
Vibra Hospital of Sacramento, located in Folsom, California, is a critical care hospital that is part of the national healthcare provider Vibra Healthcare. The hospital is known for specializing in treating individuals with complex and chronic medical conditions that require extended hospitalization. The facility released a notice on October 3, 2025, informing patients of the security incident and disclosed the breach to the California Attorney General’s office on October 24, 2025.
The hospital first discovered suspicious activity related to several employee email accounts on or about March 13, 2025. Immediate action was taken to secure the accounts and a team of third-party specialists was engaged to investigate the incident. The investigation ultimately found that six employee email accounts were hacked between March 12 and March 22, 2025. On August 4, 2025, it was confirmed that an unauthorized third-party may have accessed personal information in connection with the incident.
The information potentially contained within these compromised email accounts is extensive and may have included patient names, addresses, dates of birth, Social Security numbers, dates of medical service, medical diagnosis information, individual health insurance policy numbers, physician or medical facility information, medical condition or treatment details, Medicare or Medicaid numbers, and patient and financial account numbers. Vibra Hospital noted that the specific types of potentially impacted information may vary for each individual and could include all or just one of the listed categories.
As of the October 3 notification, Vibra Hospital stated it was not aware of any evidence that the PHI or PII had been misused. However, the hospital explained, “we were unable to rule out the possibility that the information could have been accessed,” and therefore, they are notifying potentially impacted individuals out of an abundance of caution. The hospital has partnered with forensic specialists to evaluate and reinforce existing security measures within its email system and is reviewing its policies and procedures related to data security.
Reference:
