Brown & Toland Physicians, a San Francisco-based physician network, has notified patients of a data security incident that occurred through Episource, LLC, a third-party company that Brown & Toland works with to support its health services. If you received a notification about this incident, your sensitive personal and health information may have been compromised — and you may have legal rights.
What Happened?
On February 6, 2025, Episource, LLC — a company that works with doctors, health plans, and other healthcare organizations, including Brown & Toland Physicians — discovered unusual activity in its computer systems. Episource immediately took steps to stop the activity, launched an investigation, engaged a specialized forensic team, and contacted law enforcement. Episource also shut down its computer systems to help protect its customers and their patients.
The investigation determined that a criminal was able to view and copy certain data in Episource’s computer systems between January 27, 2025 and February 6, 2025. Episource began notifying affected customers about what specific data may have been involved starting on April 23, 2025. Brown & Toland Physicians reported the breach to the California Attorney General on January 26, 2026.
What Information Was Exposed?
According to the official breach notice, the data that may have been viewed and copied varies by individual and includes contact information — such as name, address, phone number, and email address — plus one or more of the following:
- Health insurance data, including health plans and policies, insurance companies, member and group ID numbers, and Medicaid, Medicare, or government payor ID numbers
- Health data, including medical record numbers, doctors, diagnoses, medicines, test results, images, and care and treatment information
- Other personal data, including Social Security number or date of birth
The combination of health insurance records, medical histories, and Social Security numbers creates significant risk of identity theft, medical fraud, and insurance fraud.
What Is Being Done?
Episource took steps to strengthen its computer systems following the incident. In response, Brown & Toland and Episource offered affected individuals two years of complimentary credit monitoring and identity theft protection services through IDX.
Your Rights as an Affected Individual
When a healthcare organization entrusts patient data to a third-party vendor, it retains responsibility for ensuring that data is protected. A breach at the vendor level does not diminish the rights of affected patients. Under HIPAA and California privacy law, you may have the right to seek compensation for:
- The unauthorized access and copying of your personal and protected health information
- Costs associated with credit and identity monitoring
- Actual financial losses resulting from identity theft, insurance fraud, or tax fraud
- Emotional distress caused by the exposure of sensitive medical and personal information
Contact Wilshire Law Firm for a Free Consultation
If you received a notification about the Brown & Toland Physicians data breach, Wilshire Law Firm wants to hear from you. Our legal professionals can evaluate your situation and help you understand your rights — at no cost.
We take no fees unless you get paid.
Contact us online to speak with a legal professional today.
