Outcomes One, Inc., a healthcare technology company under Cardinal Health, suffered a data breach on July 1, 2025, when a cybercriminal gained unauthorized access to an employee’s email account via a phishing attack. The intrusion lasted approximately one hour, during which sensitive files and emails were accessed. The breach exposed personally identifiable information (PII) of 149,094 individuals, including names, demographic details, health insurance data, medical provider names, and medication records. The company confirmed the incident on July 17, 2025, and began notifying affected individuals by September 23, 2025, while also reporting the breach to the Attorneys General of California, Montana, and Oregon. The compromised data poses risks of identity theft, privacy violations, and financial fraud, with potential long-term consequences for impacted patients and pharmacies in its network of 48,000+ locations serving 70 million+ individuals nationwide.
Source: https://www.claimdepot.com/investigations/outcomes-one-data-breach-2025
TPRM report: https://www.rankiteo.com/company/om1-inc.
"id": "om10892908092425",
"linkid": "om1-inc.",
"type": "Breach",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '149,094 individuals',
'industry': 'Healthcare',
'location': 'Orlando, Florida, USA',
'name': 'Outcomes One, Inc.',
'size': 'Part of Cardinal Health; serves 48,000+ '
'pharmacies',
'type': 'Healthcare Technology Company'}],
'attack_vector': 'Email Phishing',
'customer_advisories': ['Review and save notification letters',
'Enroll in credit monitoring services',
'Monitor accounts for fraud',
'Consider fraud alerts/credit freezes',
'Seek legal assistance for compensation'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Emails', 'Attachments'],
'number_of_records_exposed': '149,094',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII + Protected Health '
'Information)',
'type_of_data_compromised': ['Name',
'Demographic Information',
'Health Insurance Information',
'Medical Provider Name',
'Medication Information']},
'date_detected': '2025-07-01',
'date_publicly_disclosed': '2025-09-23',
'description': 'Outcomes One, Inc., a healthcare technology company, '
'experienced a data breach on July 1, 2025, due to an email '
'phishing incident. An unauthorized actor accessed an '
"employee's email account for approximately one hour, "
'compromising sensitive personally identifiable information '
'(PII) and health-related data of 149,094 individuals. The '
'breach was publicly disclosed on September 23, 2025, with '
'notifications sent to affected consumers and regulatory '
'authorities in California, Montana, and Oregon.',
'impact': {'brand_reputation_impact': 'Potential Reputation Damage (Ongoing '
'Investigation)',
'data_compromised': True,
'identity_theft_risk': 'High (PII and Health Data Exposed)',
'legal_liabilities': 'Potential Class Action Lawsuits',
'systems_affected': ['Email Account']},
'initial_access_broker': {'entry_point': 'Phishing Email (Compromised '
'Employee Account)',
'high_value_targets': ['Email Account Containing '
'Sensitive Data']},
'investigation_status': 'Ongoing (Class Action Investigation by Shamis & '
'Gentile P.A.)',
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'root_causes': ['Successful Phishing Attack',
'Insufficient Email Security '
'Controls']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Enroll in free credit monitoring/identity protection '
'services if offered',
'Monitor financial accounts for suspicious activity',
'Place a fraud alert on credit reports',
'Request annual free credit reports',
'Seek legal counsel for compensation eligibility'],
'references': [{'source': 'Shamis & Gentile P.A. Investigation Notice'},
{'source': 'Outcomes One, Inc. Data Breach Notification (Mail, '
'Sept. 23, 2025)'}],
'regulatory_compliance': {'legal_actions': ['Potential Class Action Lawsuits '
'(Under Investigation by Shamis & '
'Gentile P.A.)'],
'regulatory_notifications': ['California Attorney '
'General',
'Montana Attorney '
'General',
'Oregon Attorney '
'General']},
'response': {'communication_strategy': ['Mail Notifications to Affected '
'Individuals',
'Regulatory Disclosures (California, '
'Montana, Oregon AG Offices)'],
'containment_measures': ['Account Lockdown', 'Investigation'],
'incident_response_plan_activated': True,
'remediation_measures': ['Consumer Notifications',
'Credit Monitoring Services (Offered)']},
'stakeholder_advisories': ['Mail notifications to affected individuals',
'Regulatory disclosures to state AG offices'],
'threat_actor': 'Unknown Cybercriminal',
'title': 'Outcomes One, Inc. Data Breach (2025)',
'type': ['Data Breach', 'Phishing'],
'vulnerability_exploited': 'Human Error (Phishing Susceptibility)'}