Between May 22–23, 2025, ApolloMD suffered a ransomware attack by the Qilin group, exposing 238 GB of sensitive data, including personally identifiable information (PII) (names, addresses, Social Security numbers) and protected health information (PHI) (diagnoses, treatment records, health insurance details). The breach compromised patient data across multiple affiliated practices, heightening risks of identity theft, medical fraud, and financial exploitation. The attackers exfiltrated documents like tax certificates, bank deposit slips, and reconciliation worksheets, confirming unauthorized access to critical systems. ApolloMD responded by securing networks, engaging cybersecurity firms, notifying law enforcement, and offering credit monitoring to affected individuals. The incident underscores severe vulnerabilities in healthcare data security, with long-term reputational and operational consequences.
Source: https://www.claimdepot.com/data-breach/apollomd-2025
TPRM report: https://www.rankiteo.com/company/apollomd
"id": "apo4802648092025",
"linkid": "apollomd",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'patients of affiliated '
'physician practices',
'industry': 'healthcare',
'location': 'USA',
'name': 'ApolloMD Business Services',
'type': 'healthcare business services provider'},
{'customers_affected': 'patients treated by the '
'practice',
'industry': 'healthcare',
'name': 'Passaic Hospitalist Services LLC',
'type': 'physician practice'},
{'customers_affected': 'patients treated by the '
'practice',
'industry': 'healthcare',
'name': 'Pensacola Hospitalist Physicians LLC',
'type': 'physician practice'},
{'customers_affected': 'patients treated by the '
'practice',
'industry': 'healthcare',
'name': 'Broad River Physicians Group LLC',
'type': 'physician practice'},
{'customers_affected': 'patients treated by the '
'practice',
'industry': 'healthcare',
'name': 'Olive Branch Emergency Physicians LLC',
'type': 'physician practice'},
{'customers_affected': 'patients treated by the '
'practice',
'industry': 'healthcare',
'name': 'Aurora Emergency Physicians LLC',
'type': 'physician practice'},
{'customers_affected': 'patients treated by the '
'practice',
'industry': 'healthcare',
'name': 'Passaic River Physicians LLC',
'type': 'physician practice'},
{'customers_affected': 'patients treated by the '
'practice',
'industry': 'healthcare',
'name': 'The Bortolazzo Group LLC',
'type': 'physician practice'},
{'customers_affected': 'patients treated by the '
'practice',
'industry': 'healthcare',
'name': 'Methodist University Emergency Physicians '
'PLLC',
'type': 'physician practice'},
{'customers_affected': 'patients treated by the '
'practice',
'industry': 'healthcare',
'name': 'Trinity Emergency Physicians LLC',
'type': 'physician practice'},
{'customers_affected': 'patients treated by the '
'practice',
'industry': 'healthcare',
'name': 'Lorain Emergency Physicians LLC',
'type': 'physician practice'},
{'customers_affected': 'patients treated by the '
'practice',
'industry': 'healthcare',
'name': 'Pennsylvania Hospitalist Group LLC',
'type': 'physician practice'}],
'attack_vector': 'unauthorized network access',
'customer_advisories': ['Review healthcare and insurance statements for '
'unfamiliar activity.',
'Report suspicious charges or services to '
'providers/insurers immediately.',
'Monitor for identity theft or medical fraud '
'indicators.'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'file_types_exposed': ['documents',
'spreadsheets',
'emails',
'financial records'],
'personally_identifiable_information': ['names',
'dates of birth',
'addresses',
'Social Security '
'numbers (for some '
'individuals)'],
'sensitivity_of_data': 'high (includes SSNs, medical records, '
'and financial documents)',
'type_of_data_compromised': ['PII',
'PHI',
'financial documents (tax '
'certificate, bank deposit slip)',
'operational documents '
'(negotiation notice, email '
'notice, daily reconciliation '
'worksheet)']},
'date_detected': '2025-05-22',
'date_publicly_disclosed': '2025-06-12',
'description': 'Between May 22 and May 23, 2025, ApolloMD Business Services '
'experienced a ransomware attack by the Qilin group, resulting '
'in the exposure of 238 GB of sensitive data, including PII '
'and PHI of patients treated by its affiliated physicians. The '
'breach included names, dates of birth, addresses, diagnosis '
'information, provider names, dates of service, treatment '
'details, health insurance information, and Social Security '
'numbers for some individuals. The incident was publicly '
'disclosed on June 12, 2025, via a dark web forum post by '
'Qilin. ApolloMD responded by securing systems, launching an '
'investigation, engaging third-party cybersecurity experts, '
'notifying law enforcement, and offering credit monitoring to '
'affected individuals.',
'impact': {'brand_reputation_impact': 'potential loss of trust among patients '
'and affiliated practices',
'data_compromised': ['PII (names, dates of birth, addresses, '
'Social Security numbers)',
'PHI (diagnosis information, provider names, '
'dates of service, treatment information, '
'health insurance details)'],
'identity_theft_risk': 'high (due to exposure of PII and PHI)',
'legal_liabilities': 'potential regulatory penalties (e.g., HIPAA '
'violations)',
'operational_impact': 'disruption of IT operations, need for '
'system securing and investigation',
'payment_information_risk': 'low (no explicit mention of payment '
'card data, but bank deposit slips '
'were accessed)',
'systems_affected': ['IT systems', 'network']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': ['PII',
'PHI',
'financial documents']},
'investigation_status': 'ongoing (as of Sept. 17, 2025)',
'motivation': 'financial gain (ransomware extortion)',
'post_incident_analysis': {'corrective_actions': ['enhanced security '
'protocols',
'additional technical '
'safeguards']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Qilin'},
'recommendations': ['ApolloMD recommends patients review statements from '
'healthcare providers and health insurance plans for '
'unfamiliar services or charges.',
'Individuals should monitor for signs of identity theft '
'or medical fraud (e.g., unexpected bills, insurance '
'claim denials).',
'Affiliated practices and patients are advised to remain '
'vigilant due to the high risk of identity theft and '
'medical fraud.'],
'references': [{'source': 'ApolloMD Breach Notice (Website)'},
{'date_accessed': '2025-06-12',
'source': 'Qilin Dark Web Forum Post'}],
'regulatory_compliance': {'regulations_violated': ['potential HIPAA '
'violations']},
'response': {'communication_strategy': ['mailed notification letters to '
'affected patients (starting Sept. '
'17, 2025)',
'posted detailed breach notice on '
'company website',
'dedicated toll-free incident '
'response line (833-397-6797)'],
'containment_measures': ['secured IT systems',
'launched internal investigation'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['enhanced security protocols',
'additional technical safeguards'],
'third_party_assistance': 'engaged a third-party cybersecurity '
'firm'},
'stakeholder_advisories': ['Notification letters mailed to affected patients.',
'Dedicated toll-free support line for questions '
'(833-397-6797).',
'Credit monitoring services offered to individuals '
'whose SSNs were exposed.'],
'threat_actor': 'Qilin ransomware group',
'title': 'ApolloMD Ransomware Attack and Data Breach (May 2025)',
'type': ['ransomware', 'data breach']}