Catalyst RCM: Medical billing company RCA warns of data breach claimed by 2 ransomware groups

Cybercriminal Gangs Medusa and Qilin Claim Breach of Medical Billing Firm RCA

Two ransomware groups, Medusa and Qilin, have claimed responsibility for breaching Resource Corporation of America (RCA), a Houston-based medical billing company, in December 2025. The attack exposed sensitive personal data, including names, Social Security numbers, health insurance details, medical diagnoses, treatment records, dates of birth, and addresses.

RCA confirmed the incident in a notice on its website, stating that unauthorized actors accessed its systems between December 9 and December 17, 2025, and exfiltrated files. The company has not acknowledged either group’s claims, and details of the breach including the attack vector, ransom demands, or whether a payment was made remain unverified.

Medusa, which first emerged in 2019 and launched its data leak site in 2023, initially demanded $800,000 in ransom. After negotiations allegedly failed, the group reposted RCA’s data on its leak site, stating the company had attempted to reduce the payment but was refused. Qilin, active since late 2022, also claimed responsibility but did not disclose its ransom demand.

Both groups operate ransomware-as-a-service (RaaS) models, deploying malware that encrypts systems and steals data to pressure victims into paying. In 2025, Qilin claimed 182 attacks, while Medusa took credit for 36, with healthcare organizations as frequent targets. Previous breaches linked to the groups include Insightin Health (Medusa) and SimonMed Imaging (Qilin), which exposed data on 1.3 million individuals.

The RCA breach is part of a broader surge in ransomware attacks on U.S. healthcare businesses. In 2025, 30 confirmed attacks on non-direct-care providers such as billing firms, pharmaceutical companies, and medical device makers compromised the data of over 6 million people. Another recent incident involved Catalyst RCM, which notified 139,000 individuals after an attack by the Everest ransomware group.

Healthcare billing firms are prime targets due to their handling of vast amounts of sensitive data and connections to multiple third-party clients. Such breaches can disrupt critical operations, endanger patient privacy, and expose organizations to prolonged downtime or regulatory consequences.

Source: https://www.comparitech.com/news/medical-billing-company-rca-warns-of-data-breach-claimed-by-2-ransomware-groups/

Catalyst RCM TPRM report: https://www.rankiteo.com/company/catalyst-rcm

"id": "cat1771961762",
"linkid": "catalyst-rcm",
"type": "Ransomware",
"date": "12/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Healthcare',
                        'location': 'Houston, Texas, USA',
                        'name': 'Resource Corporation of America (RCA)',
                        'type': 'Medical billing company'}],
 'customer_advisories': 'Notice on company website',
 'data_breach': {'data_exfiltration': 'Yes',
                 'personally_identifiable_information': 'Names, Social '
                                                        'Security numbers, '
                                                        'dates of birth, '
                                                        'addresses',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally identifiable '
                                              'information',
                                              'Health insurance details',
                                              'Medical diagnoses',
                                              'Treatment records']},
 'date_detected': '2025-12-09',
 'description': 'Two ransomware groups, Medusa and Qilin, have claimed '
                'responsibility for breaching Resource Corporation of America '
                '(RCA), a Houston-based medical billing company, in December '
                '2025. The attack exposed sensitive personal data, including '
                'names, Social Security numbers, health insurance details, '
                'medical diagnoses, treatment records, dates of birth, and '
                'addresses. RCA confirmed the incident but has not '
                'acknowledged either group’s claims, and details of the breach '
                'remain unverified.',
 'impact': {'brand_reputation_impact': 'Potential damage to brand reputation',
            'data_compromised': 'Sensitive personal data, including names, '
                                'Social Security numbers, health insurance '
                                'details, medical diagnoses, treatment '
                                'records, dates of birth, and addresses',
            'identity_theft_risk': 'High',
            'legal_liabilities': 'Potential regulatory consequences',
            'operational_impact': 'Disruption of critical operations'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial gain',
 'ransomware': {'data_encryption': 'Likely (implied by ransomware attack)',
                'data_exfiltration': 'Yes',
                'ransom_demanded': '$800,000 (Medusa)'},
 'references': [{'source': 'RCA website notice'}],
 'response': {'communication_strategy': 'Notice on company website'},
 'threat_actor': ['Medusa', 'Qilin'],
 'title': 'Cybercriminal Gangs Medusa and Qilin Claim Breach of Medical '
          'Billing Firm RCA',
 'type': 'Ransomware'}