Catalyst RCM Data Breach Exposes Sensitive Patient Information in Ransomware Attack
Catalyst RCM, a U.S.-based revenue cycle management provider for healthcare organizations, confirmed a data breach after detecting suspicious activity in its file management system on November 13, 2025. An investigation revealed that unauthorized access occurred between November 8–9, 2025, when an attacker used valid credentials to copy data from a server.
The Everest ransomware group claimed responsibility for the attack, announcing on a dark web forum that it had exfiltrated 9.39 GB of data from Vikor Scientific (now Vanta Diagnostics), including medical billing documents tied to KorPath and Korgene diagnostic laboratories. The stolen records contained sensitive patient information, such as:
- Names and contact details
- Dates of birth
- Health insurance data
- Provider names and internal patient IDs
- Dates of service, medications, and treatment details
While the total number of affected individuals remains undisclosed, 88 Rhode Island residents were confirmed impacted. Catalyst RCM posted a breach notice on its website, with Vikor Scientific linking to the disclosure. The incident was reported to the attorneys general offices of California and Vermont.
The company completed its review on December 12, 2025, and is offering affected individuals complimentary identity protection services, including credit monitoring, cyber scan monitoring, and a $1 million insurance reimbursement policy. Legal firms, including Shamis & Gentile P.A., are investigating potential compensation claims for victims.
Source: https://www.claimdepot.com/investigations/catalyst-rcm-data-breach-2026
KorPath cybersecurity rating report: https://www.rankiteo.com/company/korpath
Vanta Diagnostics cybersecurity rating report: https://www.rankiteo.com/company/vanta-diagnostics
Catalyst RCM - Better Results. No Comparison cybersecurity rating report: https://www.rankiteo.com/company/catalyst-rcm
"id": "KORVANCAT1770667690",
"linkid": "korpath, vanta-diagnostics, catalyst-rcm",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'U.S.',
'name': 'Catalyst RCM',
'type': 'Revenue Cycle Management Provider'},
{'industry': 'Healthcare',
'location': 'U.S.',
'name': 'Vikor Scientific (Vanta Diagnostics)',
'type': 'Diagnostics Laboratory'},
{'industry': 'Healthcare',
'name': 'KorPath',
'type': 'Diagnostics Laboratory'},
{'industry': 'Healthcare',
'name': 'Korgene',
'type': 'Diagnostics Laboratory'}],
'attack_vector': 'Valid credentials',
'customer_advisories': 'Offering complimentary identity protection services '
'(credit monitoring, cyber scan monitoring, $1 million '
'insurance reimbursement policy)',
'data_breach': {'data_exfiltration': 'Yes',
'file_types_exposed': 'Medical billing documents',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Names',
'Contact details',
'Dates of birth',
'Health insurance data',
'Provider names',
'Internal patient IDs',
'Dates of service',
'Medications',
'Treatment details']},
'date_detected': '2025-11-13',
'date_resolved': '2025-12-12',
'description': 'Catalyst RCM, a U.S.-based revenue cycle management provider '
'for healthcare organizations, confirmed a data breach after '
'detecting suspicious activity in its file management system '
'on November 13, 2025. An investigation revealed that '
'unauthorized access occurred between November 8–9, 2025, when '
'an attacker used valid credentials to copy data from a '
'server. The Everest ransomware group claimed responsibility '
'for the attack, exfiltrating 9.39 GB of data from Vikor '
'Scientific (now Vanta Diagnostics), including medical billing '
'documents tied to KorPath and Korgene diagnostic '
'laboratories. The stolen records contained sensitive patient '
'information such as names, contact details, dates of birth, '
'health insurance data, provider names, internal patient IDs, '
'dates of service, medications, and treatment details.',
'impact': {'data_compromised': '9.39 GB of data',
'identity_theft_risk': 'High',
'systems_affected': 'File management system, server'},
'initial_access_broker': {'entry_point': 'Valid credentials'},
'investigation_status': 'Completed',
'post_incident_analysis': {'root_causes': 'Unauthorized access via valid '
'credentials'},
'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'Everest'},
'references': [{'source': 'Catalyst RCM breach notice'},
{'source': 'Vikor Scientific breach notice'}],
'regulatory_compliance': {'legal_actions': 'Potential compensation claims '
'being investigated by Shamis & '
'Gentile P.A.',
'regulatory_notifications': 'Reported to attorneys '
'general offices of '
'California and '
'Vermont'},
'response': {'communication_strategy': 'Breach notice posted on company '
'website, reported to attorneys '
'general offices of California and '
'Vermont'},
'threat_actor': 'Everest ransomware group',
'title': 'Catalyst RCM Data Breach Exposes Sensitive Patient Information in '
'Ransomware Attack',
'type': 'Ransomware, Data Breach'}