On June 12, 2025, Qilin added ApolloMD to their darkweb leak site with a date of June 6. They claimed to have 238 GB of files.
ApolloMD, headquartered in Georgia, is a business associate to hospitals and health systems, providing them with services to enhance clinical operations and patient care, and to optimize financial performance. Founded in 1983, it remains a privately owned, physician-led group with no outside ownership accepted.
Qilin’s listing offered a few screenshots as proof of claims. None of the screenshots involved any personally identifiable information or protected health information, although two of the files involved some financial information.
The listing claimed all of ApolloMD’s data would be available on June 16, 2025, but Qilin apparently did not follow through on its threat as no data was found in the download link.
On September 15, ApolloMD posted a substitute notice on its website. The notice indicates that unauthorized access occurred between May 22 – May 23. It does not name the threat actor(s), it does not indicate whether any files were encrypted, and it does not indicate whether there was any ransom demand, although it is likely that they received a ransom demand. DataBreaches emailed ApolloMD to ask whether Qilin encrypted any files and whether Qilin was still threatening them that they would leak the data. No reply was immediately available.
ApolloMD notified the following physician practices between July 21, 2015 and September 11, 2025:
- Passaic Hospitalist Services LLC
- Pensacola Hospitalist Physicians LLC
- Broad River Physicians Group LLC
- Olive Branch Emergency Physicians LLC
- Aurora Emergency Physicians LLC
- Passaic River Physicians LLC
- The Bortolazzo Group LLC
- Methodist University Emergency Physicians PLLC
- Trinity Emergency Physicians LLC
- Lorain Emergency Physicians LLC; and
- Pennsylvania Hospitalist Group LLC.
On September 17, ApolloMD sent notification letters to affected patients, explaining that the data involved patient names, dates of birth, addresses, diagnosis information, provider names, dates of service, treatment information, and/or health insurance information. For some individuals, the incident may have also involved their Social Security numbers. Those patients are being offered complimentary credit monitoring services with CyberScout.
Pensacola Hospitalist Physicians notified the New Hampshire Attorney General’s Office. If other affected physician practices have issued their own notifications to regulators, they have not shown up in routine searches.
The incident does not yet appear on HHS’s public breach tool, so we do not yet know the total number of patients affected.