Vitas Healthcare Data Breach Exposes Personal Information of Over 300,000 Individuals
Vitas Healthcare, the largest for-profit hospice provider in the U.S. and a subsidiary of Chemed, disclosed a cybersecurity incident affecting more than 300,000 individuals. The breach was first detected on October 24, though unauthorized access to Vitas systems began as early as September 21 and persisted until October 27.
According to a data breach notice posted on November 21, attackers infiltrated Vitas’ network using a compromised vendor account. During the intrusion, the threat actor exfiltrated sensitive personal and medical data, including names, addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers (SSNs), insurance details, medical records, and next-of-kin contact information.
The U.S. Department of Health and Human Services (HHS) breach tracker confirms that 319,177 individuals were impacted. While the incident bears hallmarks of a ransomware attack, no known ransomware group has claimed responsibility, and Vitas has not confirmed whether a ransom demand was made.
Healthcare data breaches of this scale are increasingly common, with recent incidents affecting hundreds of thousands—or even millions—of patients across the sector. The Vitas breach underscores the persistent targeting of healthcare providers, where compromised vendor credentials remain a frequent attack vector.
Source: https://www.securityweek.com/over-300000-individuals-impacted-by-vitas-hospice-data-breach/
VITAS Healthcare cybersecurity rating report: https://www.rankiteo.com/company/vitas-healthcare
"id": "VIT1765275172",
"linkid": "vitas-healthcare",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '319,177',
'industry': 'Healthcare',
'location': 'United States',
'name': 'Vitas Healthcare',
'size': 'Large (largest for-profit hospice chain in '
'the U.S.)',
'type': 'Healthcare Provider'}],
'attack_vector': 'Compromised vendor account',
'customer_advisories': 'Data breach notice posted on a dedicated website',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '319,177',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Names',
'Addresses',
'Phone numbers',
'Dates of birth',
'Driver’s license numbers',
'Social Security Numbers (SSNs)',
'Medical information',
'Insurance information',
'Contact information for next of '
'kin']},
'date_detected': '2023-10-24',
'date_publicly_disclosed': '2023-11-21',
'description': 'Vitas Healthcare, the largest for-profit hospice chain in the '
'United States, experienced a cybersecurity incident where an '
'attacker gained access to some of its systems using a '
'compromised vendor account. Personal information of current '
'and former patients was downloaded during the breach.',
'impact': {'data_compromised': 'Personal information of 319,177 individuals',
'identity_theft_risk': 'High',
'systems_affected': 'Vitas Healthcare systems'},
'initial_access_broker': {'entry_point': 'Compromised vendor account'},
'investigation_status': 'Ongoing',
'references': [{'date_accessed': '2023-11-21',
'source': 'US Department of Health and Human Services (HHS) '
'healthcare data breach tracker'},
{'date_accessed': '2023-11-21',
'source': 'Vitas Healthcare data breach notice website'}],
'regulatory_compliance': {'regulatory_notifications': 'Reported to HHS '
'healthcare data breach '
'tracker'},
'response': {'communication_strategy': 'Data breach notice posted on a '
'dedicated website'},
'title': 'Vitas Healthcare Data Breach',
'type': 'Data Breach'}