On August 1, Highlands Oncology Group in Arkansas notified the Maine Attorney General’s Office of a ransomware attack it discovered on June 2, when certain files and systems were inaccessible. Investigation into the incident revealed that there had been unauthorized access at times between January 21, 2025, and June 2, 2025.
On June 19, the Medusa gang had added Highlands to its leak site with a price tag of $700,000.00 to delete the data or download it. A countdown clock indicated a deadline of July 21.
Highlands’ report to Maine indicated that a total of 113,575 people were affected by this attack. A check of Medusa’s leak site today does not find Highlands listed or leaked. DataBreaches has sent an inquiry to Medusa asking them to confirm whether the listing was removed or not. If it was removed, it could mean that Highlands paid an extortion demand to have Medusa delete the data, but there could be other explanations. DataBreaches will update this post if Medusa replies.
The incident has not yet shown up on HHS’s public breach tool, but Highlands has posted a substitute notice on its website, linked from the home page. The notice discloses that it was a ransomware attack, but makes no mention of any extortion demand and whether any data showed up on the internet.
A Previous Ransomware Attack
The Medusa ransomware incident is not Highlands’ first ransomware incident. On December 22, 2023, Highlands notified HHS of an incident affecting 55,297 patients. HHS investigated and their closing statement reads:
The covered entity (CE), Highlands Oncology Group, reported that it experienced a ransomware incident that affected the protected health information (PHI) of 55,297 individuals. The PHI involved included names, addresses, dates of birth, Social Security numbers, claims information, diagnoses, conditions, lab results, medications, and other treatment information. The CE notified HHS, the affected individuals, and the media. In response to the breach, the CE implemented additional system monitoring safeguards, revised policies regarding remote access, and implemented additional technical safeguards.
In response to the recent breach, Highlands’ substitute notice states:
Highlands Oncology is committed to maintaining the privacy and security of the information entrusted to it. Highlands has taken, and is taking, additional steps to help reduce the likelihood of a similar event from happening in the future, including enhancing its technical security measures.
Given that there was unauthorized access beginning in January, and the incident involved exfiltration of files and then encryption, what will HHS find and do when they investigate this incident?