Highlands Oncology Group, a healthcare provider based in Arkansas, has disclosed a ransomware attack that compromised sensitive personal and medical data belonging to over 113,000 individuals across multiple states.
The incident was officially reported in an August 1, 2025, statement following a forensic investigation and patient notification process.
Incident timeline and attack details
Highlands Oncology first detected unauthorized access on June 2, 2025, but internal investigation revealed that attackers had accessed the network as early as January 21. During this period, sensitive data was exfiltrated from internal systems by an unidentified threat actor.
The Medusa ransomware group later claimed responsibility for the intrusion, listing Highlands Oncology on its extortion portal with a $700,000 ransom demand and a deadline of July 21. While the group threatened to publish the stolen data, it is not currently listed on Medusa’s leak site. It remains unclear whether the data was made publicly available at any point or if the ransom demand was paid.
Highlands worked with cybersecurity experts and law enforcement to contain the threat and determine the extent of the compromise.
Data exposed in the breach
According to the official notice, information that may have been compromised includes:
- Full names and dates of birth
- Social Security numbers and government-issued identification
- Financial account and payment card data
- Health insurance details and medical record numbers
- Information related to medical treatment and clinical history
The nature of the breach raises heightened concerns due to the combination of financial and protected health information (PHI).
Notification letters were mailed to impacted individuals on August 1, 2025, in accordance with HIPAA and state-level data breach disclosure laws.
Highlands Oncology is offering 12 months of complimentary identity protection services through Experian IdentityWorks Credit 3B. These services include credit monitoring, identity restoration, and insurance coverage for certain types of fraud.
Impacted individuals are encouraged to review financial accounts, insurance claims, and credit reports closely, and to take advantage of the free monitoring services.
Ongoing investigation and prior incident
This is not the first ransomware incident reported by Highlands Oncology. In December 2023, the organization notified the U.S. Department of Health and Human Services (HHS) of a ransomware attack that impacted the protected health information (PHI) of 55,297 individuals. The compromised data included names, addresses, dates of birth, Social Security numbers, diagnoses, lab results, medications, and other treatment details. Following that incident, Highlands implemented additional monitoring, revised remote access policies, and strengthened its technical safeguards.
Following the latest incident, Highlands Oncology states that it has implemented additional security measures to improve system defenses and prevent similar intrusions. The organization has also filed a breach report with the U.S. Department of Health and Human Services’ Office for Civil Rights, listing 113,575 affected individuals.
Broader implications
The healthcare sector continues to be a prime target for ransomware groups due to the high value of medical and financial data. Incidents like this highlight the ongoing need for robust cyber defenses, incident response planning, and patient awareness.
Healthcare providers are encouraged to audit their authentication controls, monitor for abnormal system behavior, and ensure timely updates to their security infrastructure. Patients should remain alert for possible identity theft or fraud attempts resulting from stolen personal data.
where is link to Highlands if I was a patient and have NOT received the notice?