California Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

California is home to the largest concentration of technology companies on Earth, a massive healthcare sector, the entertainment capital of the world, and the most populous state government in the nation. That combination makes it one of the most heavily targeted states for cyberattacks. From the Yahoo breaches that exposed three billion accounts to the Scripps Health ransomware attack that shut down hospital systems across San Diego, California organizations have faced some of the most consequential cyber incidents in U.S. history.

Understanding the pattern of attacks targeting California businesses is not an academic exercise — it is essential context for any organization operating in the state. The incidents below reveal which industries attackers prioritize, which attack vectors they favor, and what the real-world consequences look like when defenses fail. California was also the first state to enact a data breach notification law, meaning the legal obligations that follow a breach here are among the most demanding in the country.

Major Cyber Incidents in California (Timeline)

The following timeline covers confirmed, publicly reported incidents affecting California-based organizations. Each entry reflects the scope, attack vector, and outcome as documented in breach disclosures, regulatory filings, and news reporting.

Yahoo Data Breaches (2013–2014, Disclosed 2016)

The Yahoo breaches remain the largest data breaches in history. The 2013 breach compromised all three billion Yahoo user accounts, while a separate 2014 breach affected 500 million accounts. Attackers — later attributed to Russian state-sponsored actors — accessed names, email addresses, phone numbers, dates of birth, hashed passwords, and security questions. Yahoo, headquartered in Sunnyvale, ultimately paid $350 million in reduced acquisition price to Verizon and $117.5 million in a class-action settlement.

Anthem Blue Cross Breach (2015)

Anthem Inc., the largest health insurer in California, suffered a breach affecting 78.8 million records — the largest healthcare data breach in U.S. history at the time. Attackers used spear-phishing emails to gain credentials, then exfiltrated names, Social Security numbers, medical IDs, addresses, and employment information over several weeks. The breach resulted in a $115 million class-action settlement and a $16 million HIPAA penalty from the U.S. Department of Health and Human Services.

Hollywood Presbyterian Medical Center Ransomware (2016)

Hollywood Presbyterian Medical Center in Los Angeles was one of the first major hospitals to publicly acknowledge paying a ransom. The Locky ransomware encrypted hospital systems, forcing staff to revert to paper records and fax machines for ten days. The hospital paid 40 Bitcoin (approximately $17,000 at the time) to restore access. This incident foreshadowed the wave of healthcare ransomware attacks that would intensify over the following years.

Equifax Breach — California Impact (2017)

While Equifax is headquartered in Georgia, the breach of 147 million records had an outsized impact on California due to the state's population size. An estimated 15 million Californians were affected. The California Attorney General was among the first state AGs to open an investigation, and the breach became a catalyst for strengthening California's breach notification requirements.

SolarWinds Supply Chain Attack — California Impact (2020)

The SolarWinds Orion supply chain compromise affected multiple California state agencies and technology companies that used the platform for network monitoring. While the full scope of California-specific impact remains partially classified, public reporting confirmed that California state government entities were among the 18,000 organizations that installed the compromised update, making it one of the most sophisticated supply chain attacks to hit the state.

UC San Diego Health Breach (2021)

UC San Diego Health disclosed that unauthorized access to employee email accounts between December 2020 and April 2021 exposed patient records including names, dates of birth, medical record numbers, claims information, laboratory results, and Social Security numbers. The breach highlighted the vulnerability of academic medical centers and the extended dwell times attackers can achieve through email account compromises.

Scripps Health Ransomware Attack (2021)

Scripps Health, one of San Diego's largest health systems with five hospitals and 19 outpatient facilities, suffered a ransomware attack that disrupted operations for nearly a month. The attack forced ambulance diversions, delayed patient care, and compromised records of approximately 147,000 patients. Scripps estimated the financial impact at $113 million in lost revenue and recovery costs — a stark illustration of why healthcare organizations need robust cybersecurity.

California DMV Vendor Breach (2021)

The California Department of Motor Vehicles disclosed that a ransomware attack on its contractor, Automatic Funds Transfer Services, potentially compromised 38 million vehicle registration records including names, addresses, license plate numbers, and vehicle identification numbers. The incident underscored the risks of third-party vendor relationships in government operations.

California's Data Breach Notification Law

California enacted the nation's first data breach notification law in 2003 — California Civil Code §1798.82, also known as SB 1386. This law has been amended multiple times and remains among the most protective breach notification statutes in the United States.

Key Requirements Under §1798.82

• Individual notification: Any person or business that owns or licenses computerized personal information must notify California residents when their unencrypted data has been, or is reasonably believed to have been, acquired by an unauthorized person

• Attorney General notification: If a breach affects more than 500 California residents, the organization must submit a sample notification to the California Attorney General within 72 hours

• Notification content: The notification must include the date of the breach, description of the information compromised, toll-free numbers for credit reporting agencies, and the contact information for the notifying entity

• Encryption safe harbor: If the breached data was encrypted and the encryption key was not compromised, notification is not required

How California Compares to Other States

California's law is notably broader than most states in its definition of personal information, which includes biometric data, health insurance information, and login credentials paired with security questions. The 72-hour AG notification requirement is also stricter than the majority of state statutes. For a full breakdown of California's data privacy and cybersecurity laws, see our compliance guide.

Which California Industries Are Most Targeted?

California's economic diversity means nearly every major industry vertical faces significant cyber risk, but certain sectors absorb a disproportionate share of attacks.

Technology and SaaS

Silicon Valley and the broader Bay Area tech ecosystem are constant targets for intellectual property theft, source code exfiltration, and supply chain compromises. Nation-state actors — particularly those attributed to China and Russia — target California tech companies for competitive intelligence and strategic advantage. Startups are particularly vulnerable because they often prioritize rapid growth over security infrastructure.

Healthcare

California has the largest healthcare sector of any state, with major hospital systems, academic medical centers, biotech companies, and health insurers. Healthcare data commands premium prices on dark web markets, and ransomware operators know that hospitals face life-or-death pressure to restore systems quickly. The Scripps Health and Hollywood Presbyterian incidents are representative of a broader pattern.

Entertainment

The entertainment industry concentrated in Los Angeles faces unique threats including pre-release content theft, ransomware targeting post-production facilities, and social engineering attacks against high-profile individuals. The 2014 Sony Pictures hack — while Sony is headquartered in Japan, the attack targeted its Culver City studios — demonstrated the catastrophic potential of attacks against entertainment companies.

State and Local Government

California state agencies and municipalities manage enormous volumes of citizen data and often operate legacy systems with known vulnerabilities. The DMV vendor breach illustrated how government data exposure can occur through contractor relationships even when the agency's own systems remain secure.

What California Businesses Must Do After a Breach

California law imposes specific obligations on organizations that experience a data breach. The following checklist reflects requirements under California Civil Code §1798.82 and related statutes.

• Contain the breach immediately: Isolate affected systems, revoke compromised credentials, and preserve forensic evidence before beginning recovery

• Engage legal counsel: Retain a breach response attorney to manage privilege and advise on notification obligations under California and federal law

• Conduct a forensic investigation: Determine the scope of unauthorized access, which data elements were exposed, and whether data was actually exfiltrated

• Notify affected individuals: Send written notification to all California residents whose unencrypted personal information was compromised, in the most expedient time possible and without unreasonable delay

• Notify the Attorney General: If more than 500 California residents are affected, submit a sample copy of the notification to the California AG within 72 hours

• Offer identity protection services: While not strictly required by statute, offering 12–24 months of identity monitoring has become standard practice and may mitigate litigation risk

• File regulatory notifications: Determine whether HIPAA, PCI-DSS, SEC, or other regulatory bodies require separate notifications based on the type of data and your industry

• Document everything: Maintain a complete record of your response timeline, decisions, and communications for potential regulatory review or litigation

How to Protect Your California Business

The pattern of California breaches reveals consistent defensive gaps that organizations can address with established security practices.

Implement Multi-Factor Authentication Everywhere

Multiple California breaches — including UC San Diego Health and Anthem — involved compromised credentials that could have been mitigated with MFA. Every externally facing system, email account, and VPN should require a second authentication factor.

Manage Third-Party Vendor Risk

The DMV and SolarWinds incidents demonstrate that your security is only as strong as your weakest vendor. Implement vendor security assessments, contractual security requirements, and monitoring of critical third-party access. Understanding what managed IT services provide can help organizations evaluate which security functions to handle internally versus through a trusted provider.

Invest in Endpoint Detection and Response

Traditional antivirus failed to prevent every major California incident listed above. Modern EDR solutions provide behavioral analysis that can detect and contain ransomware before it spreads laterally across your network. Organizations should consider managed IT security services that include 24/7 EDR monitoring.

Conduct Regular Security Assessments

Annual penetration testing, quarterly vulnerability scanning, and regular tabletop exercises ensure that defenses evolve alongside the threat landscape facing California businesses. Security is not a one-time project — it requires continuous evaluation and improvement.

Frequently Asked Questions

How many data breaches occur in California each year?

California consistently ranks among the top states for reported data breaches. The California Attorney General's office receives hundreds of breach notifications annually, with the exact number varying year to year. The high volume reflects both the state's large population and its concentration of high-value targets in technology, healthcare, and financial services.

What is the penalty for failing to notify after a breach in California?

Under California Civil Code §1798.84, any customer injured by a violation of the breach notification law may bring a civil action to recover damages. The California Attorney General can also bring enforcement actions. Courts can award statutory damages of up to $750 per consumer per incident under the CCPA's private right of action for certain types of breaches involving inadequate security.

Does California's breach notification law apply to out-of-state companies?

Yes. California's law applies to any person or business that conducts business in California and owns or licenses computerized data that includes personal information of California residents, regardless of where the business is headquartered. If you have California customers or employees, you are subject to the law.

Are encrypted records exempt from California breach notification?

California provides a safe harbor for encrypted data — if the breached information was encrypted and the encryption key was not compromised in the same incident, notification is not required. However, this exemption does not apply if the encryption was inadequate or if the key was also exposed.

How does California's breach notification law differ from CCPA?

The breach notification law (§1798.82) and the California Consumer Privacy Act (CCPA/CPRA) are separate statutes with different scopes. The breach notification law covers post-incident disclosure obligations for all businesses. The CCPA governs how businesses collect, use, and sell consumer data, and includes a private right of action specifically for breaches resulting from a failure to implement reasonable security measures. Both laws may apply simultaneously when a breach occurs at a CCPA-covered business.