Skip to main content
A closing laptop in a dark room

OSI Systems Data Breach

Written by Joseph Lyon on . Posted in Data Breach.

Key Takeaways

  • OSI Systems, a California-based defense and security technology company, suffered a ransomware attack on December 25, 2025.
  • The cybercriminal group INC Ransom claimed responsibility and posted stolen data on the dark web, alleging 250GB of confidential information was exfiltrated.
  • OSI completed its internal review on February 10, 2026, and began mailing breach notification letters to affected individuals on March 11, 2026.
  • Approximately 4,910 individuals across the United States had personal information potentially exposed.
  • If you received a notification letter, California law may entitle you to compensation. The Lyon Firm offers free consultations.

What Is OSI Systems and How Did the Breach Happen?

OSI Systems, Inc. is a technology company based in Hawthorne, California, that designs, manufactures, and sells specialized electronic systems used in airport security, border checkpoints, hospitals, and other critical infrastructure. The company serves clients ranging from U.S. government agencies to global defense and healthcare corporations, making the security of its data systems a matter of particular sensitivity.

OSI Systems discovered suspicious activity on its network on December 25, 2025. The company secured its systems and launched an investigation with the help of third-party forensic specialists. Days later, the ransomware group INC Ransom publicly claimed responsibility, posting about the breach on the dark web on December 30, 2025, and stating that 250GB of confidential company and client data had been stolen.

OSI completed its review on February 10, 2026, and began mailing data breach notification letters to impacted individuals on March 11, 2026. That nearly three-month gap between discovery and notification is legally significant, and it is one of the issues The Lyon Firm is examining on behalf of affected individuals.

What Personal Information Was Exposed?

The OSI Systems data breach involved sensitive personal information belonging to over 4,900 individuals. While the information impacted varies depending on the individual, sensitive personal identifiable information in OSI’s care may have been compromised. OSI’s notification letters provide recipients with a list of the specific data types affected in their individual case.

For a company deeply embedded in homeland security, defense, and healthcare technology, the categories of employee and client data held within its systems are likely to be extensive. Exposed personal information in breaches of this nature commonly includes names, Social Security numbers, financial account information, government identification numbers, and employment records — all data types that carry serious long-term fraud and identity theft risk.

The fact that INC Ransom published stolen data publicly on the dark web adds another layer of exposure. Even if OSI has since secured its systems, data already posted publicly cannot be unpublished.

Your Legal Rights as an Affected Individual

California’s data privacy framework is among the strongest in the nation, and it applies directly here. OSI Systems is headquartered in Hawthorne, California, and is subject to the California Consumer Privacy Act (CCPA) and related statutes governing the protection of personal information.

Under California law, companies that collect and store personal data have an obligation to implement reasonable security measures. When a preventable breach occurs affected individuals may have grounds to pursue claims for negligence in data security practices, failure to implement adequate safeguards, delayed breach notification, and violation of California privacy statutes. Statutory damages, compensation for time spent responding to the breach, and damages for the risk of future harm are all potential remedies.

Importantly, you do not need to show that your data has already been misused to have a viable legal claim. The unauthorized exposure of your personal information is itself a recognized harm under California law.

If you received an OSI Systems data breach notification letter, do not discard it. It is evidence. Contact The Lyon Firm today for a free case evaluation.

Why Hire The Lyon Firm for Data Breach Cases?

When a corporation fails to protect your personal information, you deserve more than a credit monitoring subscription and an apology letter. The Lyon Firm’s data privacy practice is built specifically for this moment — holding companies accountable when their security failures put real people at risk.

CONTACT THE LYON FIRM TODAY

Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.