A California oral surgery practice and a San Francisco nonprofit childcare agency both disclosed data breaches in early March 2026 — each tracing back to network intrusions from the summer of 2025. Together, the incidents exposed Social Security numbers, surgical records, treatment plans, and prescription data belonging to thousands of patients and community members, and both disclosures arrived months after the attacks occurred.
California continues to be the state reporting the highest number of large healthcare data breaches. When two separate disclosures landed in the first week of March 2026 — one from a small oral surgery practice in the South Bay, the other from a well-known nonprofit serving San Francisco's childcare system — they illustrated a pattern that security researchers have been tracking for years: attackers penetrate networks, exfiltrate data, and disappear before the organization fully understands what was taken. The affected organization then spends months in forensic review while compromised individuals remain unaware.
Tieu Dental: What Happened and What Was Taken
Tieu Dental Corporation is a California-based provider of oral and maxillofacial surgery services, with offices in Campbell and Morgan Hill. On or around July 29, 2025, the practice identified unauthorized access to its computer network. A forensic investigation confirmed that an unknown third party had been inside the network during a narrow window — July 28 to July 29, 2025 — and had potentially accessed and removed files containing protected health information.
The investigation was not completed quickly. It was not until January 11, 2026, nearly six months after the intrusion, that Tieu Dental confirmed which files had been compromised and what patient data was present in them. The formal breach report was filed with the California Attorney General and the Massachusetts Office of Consumer Affairs and Business Regulation on March 5, 2026. The practice also published a notice on its website that same day.
The data categories confirmed as potentially compromised include full names, dates of birth, Social Security numbers, medical records, treatment plans, prescription information, and health insurance details. For patients of an oral and maxillofacial surgery practice — a specialty that treats conditions ranging from wisdom tooth removal to complex jaw surgery — that category of clinical detail is unusually sensitive. Treatment plans and prescription records in this context can include information about sedation, pain management, and underlying medical conditions that informed surgical decisions.
"This breach stands out for the sheer breadth of what was potentially taken." — The Lyon Firm, March 2026
As of the time of disclosure, Tieu Dental stated it had not identified any confirmed misuse of the compromised data. The practice offered complimentary credit monitoring and identity theft protection services to affected individuals. No ransomware group has publicly claimed responsibility for the Tieu Dental intrusion, and the incident had not yet appeared on the HHS Office for Civil Rights breach portal at the time of this writing, meaning the total number of affected individuals remains unconfirmed in federal records.
Children's Council of San Francisco: SafePay Claims Responsibility
The second breach disclosed in the same window involves the Children's Council of San Francisco (CCSF), a nonprofit childcare resource and referral agency that serves families, childcare providers, and child development programs across San Francisco. CCSF experienced a network disruption on August 3, 2025. With the help of third-party cybersecurity experts, the organization investigated the incident and determined that an unauthorized actor had entered the network on August 1, 2025 — two days before the disruption was noticed — and had acquired certain files.
The SafePay ransomware group claimed responsibility for the attack on August 19, 2025, listing CCSF on its data leak website and demanding a ransom payment within 24 hours. SafePay employs a double-extortion model: it encrypts victim systems and simultaneously threatens to publish exfiltrated data unless payment is received. CCSF has not publicly acknowledged SafePay's claim, and it remains unknown whether any ransom was paid.
"On August 3, 2025, ChCo experienced a network disruption." — Children's Council of San Francisco breach notice to affected individuals
The forensic file review was completed on or around February 23, 2026. CCSF confirmed that names and Social Security numbers were present in the files the attacker acquired. Notification letters were mailed to the 12,655 affected individuals on March 2, 2026. A report was filed with the Maine Attorney General on March 3, 2026 — Maine requires notification regardless of how few state residents are affected, making filings there a reliable public indicator of national breach scope. The report confirmed that one Maine resident was among those affected.
CCSF offered complimentary single-bureau credit monitoring and identity theft protection services to those notified. The nature of the organization — a nonprofit working with families and childcare providers — raises additional questions about the types of individuals whose Social Security numbers may have been in those files, including whether any data belonged to children or childcare workers whose records the agency maintains as part of its referral and subsidy coordination services.
SafePay is a ransomware group that began listing victims on its data leak site in November 2024. It uses ransomware built on the LockBit codebase and employs double extortion — demanding payment both to restore encrypted systems and to prevent public release of stolen data. In 2025 alone, SafePay claimed responsibility for 374 ransomware attacks. Of those, 46 were confirmed by the targeted organizations, and those confirmed incidents affected approximately 17 million people. The group's largest confirmed breach in 2025 was against Conduent Business Services, which affected 16.7 million individuals. SafePay remained active as of early 2026. Source: Comparitech, March 2026.
The Notification Gap: Why Months Passed Before Disclosure
In both cases, a significant amount of time elapsed between the initial intrusion and the notification of affected individuals. For Tieu Dental, the gap between the attack (July 28, 2025) and the public filing (March 5, 2026) spans roughly 219 days. For CCSF, the gap between the network disruption (August 3, 2025) and the mailing of notification letters (March 2, 2026) is approximately 211 days.
These timelines are not unusual in healthcare breach investigations, but they are legally significant under multiple overlapping frameworks. The HIPAA Breach Notification Rule requires covered entities to notify affected individuals and report to the HHS Office for Civil Rights within 60 days of discovering a breach. When a breach affects 500 or more individuals in a state, the covered entity must also notify prominent media outlets in that state.
California imposes additional requirements. A 2026 amendment to the state's data breach notification law — effective January 1, 2026 — requires covered businesses to notify affected California residents within 30 calendar days of discovering a breach. Tieu Dental confirmed the scope of its breach on January 11, 2026, and filed its notification with the California Attorney General on March 5, 2026 — a gap of 53 days from confirmation to public disclosure filing. Whether that satisfies California's 30-day notification requirement, given that the 30-day clock may run from the date of discovery rather than the date of scope confirmation, is a question that legal observers have flagged as worth watching.
"That timeline — attack in July, discovery in January, public disclosure in March — is the kind of gap that leaves patients exposed without any chance to protect themselves." — The Lyon Firm, March 2026
The California Attorney General must also receive a sample copy of the breach notification within 15 days of notifying consumers, when the breach affects more than 500 California residents. These layered requirements — federal HIPAA timelines, California's newer 30-day rule, and the AG notification requirement — create a compliance environment that is among the most demanding in the country.
California's Regulatory Landscape and What It Means for Affected Individuals
California has earned a reputation as one of the most active enforcers of data protection standards in the United States. The state's Attorney General can impose financial penalties on both HIPAA-covered entities and non-HIPAA businesses when breaches violate state law. Patients and other affected individuals also have a private right of action under the California Consumer Privacy Act and its amendment, the CPRA, depending on the circumstances of the breach and the type of data involved.
The Tieu Dental breach is particularly consequential under HIPAA because dental practices are covered entities, meaning they are directly subject to the Security Rule, Privacy Rule, and Breach Notification Rule. A breach involving surgical records, prescription data, and Social Security numbers from an oral surgery practice will almost certainly draw scrutiny from the HHS Office for Civil Rights. In early 2026, OCR Director Paula M. Stannard confirmed that the agency's enforcement initiative targeting risk analysis compliance would continue throughout 2026 and would be expanded to include risk management practices — meaning organizations that experience breaches will need to demonstrate not only that they conducted risk analyses, but that they acted on the findings.
For the Children's Council of San Francisco, the regulatory picture is more nuanced. As a nonprofit childcare resource agency rather than a healthcare provider, CCSF may not be a HIPAA-covered entity in the traditional sense, although it handles personal information for thousands of families and could be subject to California's state-level breach notification statutes regardless. The agency's decision to notify the Maine Attorney General is consistent with breach notification obligations that apply across states when affected individuals are residents of those states.
If you received a breach notification from Tieu Dental Corporation or the Children's Council of San Francisco, take immediate steps: place a free credit freeze with all three major bureaus (Equifax, Experian, TransUnion), enroll in the complimentary credit monitoring offered by the organization, review your Explanation of Benefits documents for any services you did not receive, and consider filing an identity theft report with the FTC at IdentityTheft.gov if you detect suspicious activity.
Dental and Healthcare Providers Remain High-Value Targets
The Tieu Dental and CCSF disclosures land at a moment when the healthcare sector's overall breach numbers show some modest improvement, but the underlying targeting by ransomware groups has not abated. According to the HIPAA Journal's 2025 Healthcare Data Breach Report, more than 700 large healthcare data breaches — those affecting 500 or more individuals — were reported to the HHS Office for Civil Rights in 2025, though the total represented a roughly 4.3% year-over-year decline from 2024.
Dental providers have faced sustained targeting throughout this period. In 2025 alone, significant breaches affected Absolute Dental in Nevada (approximately 1.22 million patients, traced to a compromised managed services provider), Chord Specialty Dental Partners in Tennessee (approximately 173,000 individuals, via an email compromise), and West Texas Oral Facial Surgery (more than 11,000 individuals). A settlement reached in Indiana in 2025 saw Westend Dental pay $350,000 after regulators determined the practice had delayed notifying patients of a ransomware attack — an outcome that illustrates the financial exposure organizations face when they fail to comply with notification timelines.
Hackers target healthcare organizations, including dental practices, for a specific reason: the combination of demographic identifiers, insurance data, clinical records, and financial information contained in a single patient file is more valuable on criminal markets than almost any other category of stolen record. A Social Security number alone enables identity theft. Paired with a date of birth, health insurance ID, and treatment history, it enables medical identity fraud — fraudulent insurance claims, prescription fraud, and the long-term corruption of a victim's medical record.
For small and mid-sized practices like Tieu Dental, the challenge is structural. The security investments required to detect lateral movement, prevent data exfiltration, and maintain comprehensive audit logs are substantial relative to operational budgets. Yet the regulatory and legal exposure from a breach of this scope — particularly in California, where enforcement is aggressive and civil litigation is common — can be existential. The HIPAA Security Rule's risk analysis requirement is frequently the first failure identified when OCR investigates a breach; the agency's expanded 2026 enforcement initiative explicitly adds risk management — the step of actually acting on identified risks — to the list of compliance elements it will examine.
The data also illustrates how double-extortion ransomware has changed the calculus for small organizations. SafePay's demand to CCSF included a 24-hour payment deadline, a tactic designed to prevent victims from consulting legal counsel, engaging cybersecurity firms, or evaluating their options. Whether CCSF paid or refused, the data still ended up compromised — because under double extortion, exfiltration occurs before encryption, and the threat to publish is independent of the ransom for restoring systems.
Key Takeaways
- Two California disclosures, one week: Tieu Dental Corporation (Campbell and Morgan Hill) and the Children's Council of San Francisco both filed breach notifications in the first week of March 2026, each tracing to summer 2025 intrusions that went months before full public disclosure.
- Data exposed is highly sensitive: Tieu Dental's confirmed compromised data includes Social Security numbers, surgical records, treatment plans, prescriptions, and health insurance information. CCSF's confirmed compromised data includes names and Social Security numbers for 12,655 individuals.
- SafePay is an active and growing threat: The ransomware group that claimed the CCSF attack conducted 374 attacks in 2025, with 46 confirmed by victims affecting approximately 17 million people. It remains active in 2026 and uses LockBit-based ransomware with double-extortion tactics.
- California's 30-day notification rule is new and untested: Effective January 1, 2026, California requires breach notification within 30 calendar days of discovery. The notification timelines in both incidents could face scrutiny under this new standard.
- OCR enforcement is expanding in 2026: The HHS Office for Civil Rights has confirmed it will enforce both risk analysis and risk management requirements during breach investigations, meaning practices that experience breaches must demonstrate they identified risks and acted on them — not just that they conducted an analysis.
The two California breaches disclosed in early March 2026 are individually significant and collectively instructive. They demonstrate that healthcare and community-service organizations of any size remain within the targeting scope of sophisticated ransomware groups, that forensic investigations routinely take months to complete even when breaches are detected quickly, and that the regulatory and legal consequences of a breach in California are among the most severe in the country. For patients of Tieu Dental and members of the communities served by the Children's Council of San Francisco, the immediate priority is monitoring — and understanding that the data taken may not surface in any identifiable fraud for months or years.
Sources: HIPAA Journal — Becker's Dental Review — ClassAction.org — The Lyon Firm — Comparitech — ClaimDepot — HIPAA Journal 2025 Data Breach Report — HIPAA Journal Violation Cases — The Fox Group on California SB 446