DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Horizon Healthcare RCM discloses ransomware attack in December

Posted on June 29, 2025 by Dissent

Attacks on revenue cycle management (RCM) firms and debt collection firms often provide criminals with a wealth of personal and protected health information because successfully compromising one billing vendor may give access to the sensitive data of numerous covered entities or clients.

Horizon Healthcare RCM (“Horizon”) in Indiana is the latest RCM to disclose that it has been the victim of a breach.

In a substitute notice on its site and in its notification to the Maine Attorney General’s Office, Horizon reported that between December 25 and December 27, it suffered a ransomware attack with encryption and data exfiltration. They discovered the breach on December 27.

The notification to Maine, filed by Horizon Financial Management LLC, did not disclose the total number of people affected by the breach, only disclosing that 6 Maine residents were affected and providing a sample notification letter. DataBreaches was unable to download the sample notification letter, but Horizon’s website substitute notice described the data involved as varying from individual to individual:

The most common types of information were an internal Horizon number, customer number, or other patient identifier in conjunction with general health insurance claims processing information. In some circumstances, a Medical Record Number was identified with the claims processing information. In a small number of instances, non-address contact information, date of birth, Social Security number, driver’s license number, passport number, payment card information, or checking or financial account information were identified.

In their FAQ, Horizon expands on the above:

Horizon is sending notification letters to patients whose information was involved with this matter. For certain patients, there is insufficient information available to directly notify them. As referenced above, the types of information involved for patients that could not be directly identified was internal reference numbers and general claims processing information. If there are concerns, individuals may consider monitoring their health insurance for unexpected claims information. For a small group of patients (under 500) that have Social Security or government identification numbers, payment card numbers or checking/financial account information involved, they may consider referencing the free resources and guidance in the “Steps Individuals Can Take To Protect Personal Information” section below.

Horizon’s notice states that they have no indication of an individual experiencing verified identity theft or fraud as a result of this incident. That insertion of “verified” allows the possibility that they may have one or more reports but those incidents could not be definitively linked to the breach as the cause (a traceability issue).

Ransomware Attack

Of note, Horizon was more transparent than most entities that try to omit any mention of ransomware or a ransom. Horizon frankly disclosed a virus encrypted their files and their notice strongly hints that they paid a ransom demand to get data deleted: “Additionally, we arranged for the party responsible for this matter to delete the copied information.”

They did not disclose what ransomware threat actor or group was responsible. This incident has not shown up on any darkweb leak sites or forums, providing additional indication that Horizon paid the threat actors. Whether the criminals retained a copy of the data anyway and it will show up at some future date remains to be seen, but patients should not rely on any assurances from criminals about data deletion. Nor should they relax because the data cannot be found online at this time.

How Many Patients Were Affected?

As of publication, the total number of patients affected by this incident has not been disclosed, and there is no listing on HHS’s public breach tool.

Whether Horizon will be disclosing the breach to HHS on behalf of all of its affected clients or if the clients will be doing their own reporting to HHS is also unknown.

DataBreaches emailed Horizon to ask which threat actor was responsible for the attack, how many patients, total, were affected, and whether Horizon is making notifications to regulators or clients are. No reply was immediately available.

Horizon lists some of its more successful partnerships on its website:

  • Ascension Health
  • Adfinitas Health
  • Bon Secours Health System
  • Crook County Medical Services District
  • Joseph Dotolo, MD, FACC
  • Ensemble Health Partners
  • Franciscan Alliance
  • Guthrie Lourdes Hospital
  • Methodist Hospitals
  • Pinnacle Wound Care
  • TeleCare Pharmacy
  • The Podiatry Care Center

DataBreaches has not seen any breach reports by any of the above recently that would correspond to Horizon’s description of the incident, but has reached out to two of the entities to inquire. How many other partners not listed on the site might be affected is also unknown to DataBreaches.

This post will be updated if more information becomes available.

Related posts:

  • Horizon Blue Cross Blue Shield Pays $1.1M For Customer Data Breach
  • NJ: Horizon BCBS notifies members that perps posing as doctors stole their insurance information
  • Mercy Health Lorain Hospital Laboratory patients notified of HIPAA breach due to contractor invoice printing error
  • Command Marketing Innovations Reports Printing Error Impacting Horizon Blue Cross Blue Shield of New Jersey Members
Category: Breach IncidentsHealth DataMalwareSubcontractorU.S.

Post navigation

← Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.