Highlands Oncology Group, an American healthcare organization focused on cancer treatment, has revealed that a ransomware attack exposed the personal details of numerous patients. The hackers took everything from names to payment card numbers.
Financially motivated threat actors are rarely picky about their targets. Earlier this year, the Medusa ransomware cartel breached Highlands, an Arkansas-based cancer treatment services provider. This week, the healthcare provider revealed the true extent of the attack.
According to information that Highlands submitted to the Maine Attorney General’s Office, over 113,500 individuals were exposed in the attack. The data breach notification sent to potentially impacted individuals explained that Highland noticed something was wrong in early June, after its systems were encrypted.
Ransomware cartels operate by infiltrating target systems, stealing data, and encrypting those systems. This prevents organizations from restoring operations. At the same time, attackers demand ransom if the victim wants to get a decryptor, which would allow them to access the locked data.
Healthcare organizations are particularly sensitive to these types of attacks, as downtime is not only costly but could turn fatal if certain procedures cannot be carried out because digital systems are not working properly.
While Highlands’ data breach notice does not explicitly link the cybersecurity incident with a ransomware attack, Medusa ransomware claimed the organization earlier this year.
The attackers reportedly demanded $700,000 from the organization. Since Highland was subsequently removed from Medusa’s dark web blog, the HIPAA Journal believes the organization may have paid the ransom.
Meanwhile, Highlands’ data breach notice revealed that attackers roamed its systems for several months from late January 2025 until early June of the same year. During that time, attackers accessed a trove of sensitive personal details, which include:
- Name
- Dates of birth
- Social Security numbers
- Driver’s license or State ID numbers
- Passport numbers
- Payment card numbers
- Financial account numbers
- Medical treatment information
- Medical record numbers
- Patient account numbers
- Health insurance policy information
While Highlands noted that not every individual had all details exposed, the data breach still elevates cybersecurity risks for those whose details were exposed. There are enough details for attackers to commit comprehensive identity theft.
At least in theory, that would allow cybercrooks to set up credit accounts or file fraudulent tax returns. These types of attacks are often particularly dangerous to individuals as they’re only revealed after the victim's credit score is impacted.
Moreover, Highlands' data breach could potentially lead to medical identity theft. Cybercriminals in the underworld particularly value medical information, as it sells well in data leak forums. Attackers use medical details to obtain medical services and access prescription drugs that can later be sold on the black market.
To assist individuals in mitigating the risks, Highlands said it will offer impacted individuals complimentary identity theft services for a year.
Healthcare institutions are among the most targeted. According to research from the Business Digital Index, the majority of the largest US hospitals have recently dealt with cyberattacks and data breaches. For example, in 2024, healthcare-related data breaches led to the theft of over 267 million records.
Your email address will not be published. Required fields are markedmarked