The IT Nerd

According to the U.S. Department of Health and Human Services Breach Portal, a major cyberattack on ApolloMD, a large healthcare services provider, exposed the personal information of 626,540 people in a breach that occurred May 22-23, 2025. Attackers accessed the company’s IT systems before being detected, and viewed sensitive data tied to ApolloMD’s affiliated physicians and practices, including patient names, addresses, medical diagnoses, insurance info, dates of service, and some social security numbers.

The company first reported the breach in September 2025, and provided authorities with the full number of victims this week.

The ransomware gang Qilin has claimed responsibility for the attack, adding the company to its Tor-based leak site in early June 2025. 

Here’s some commentary on this.

Vishal Agarwal, CTO Averlon:

   “The ApolloMD breach is unlikely to stem from a single missed vulnerability. Maintaining access for two days and reaching sensitive patient records suggests attackers were able to assemble an attack chain that led to protected health information.

   “In complex healthcare environments, applications and service identities often accumulate access over time. When systems are overprivileged, an attack chain does not stop at the initial compromise. It expands the blast radius and increases the volume of sensitive data that can be accessed.

   “In such environments, an assume-breach mindset and strict enforcement of least privilege are essential. Eliminating unnecessary access paths reduces blast radius and prevents an initial foothold from expanding into material data exposure.”

Michael Bell, CEO, Suzu Labs:

   “Dark web intelligence shows over 500 ApolloMD corporate credentials were already circulating on underground forums and Telegram channels before the breach. They came from third-party breaches going back years and were available to anyone who looked. When a healthcare organization holding data on 626,000 patients has that kind of credential exposure on the dark web unaddressed, the ransomware group doesn’t need a zero-day. They need a login.

   “238 gigabytes exfiltrated in 48 hours is not subtle. That should trigger every exfiltration alarm in the stack. If it didn’t, the monitoring wasn’t tuned for it. If it did and nobody acted, that’s worse. Qilin had a documented playbook before they hit ApolloMD. The Synnovis attack in 2024 crippled London hospitals and contributed to patient deaths. Their targeting, tools, and techniques were public knowledge.

   “Healthcare keeps treating vendor security like a regulatory exercise instead of an operational risk. ApolloMD touches patient data across dozens of physician groups. One vendor compromised, 626,000 patients exposed. And nine months between the breach and the HHS filing means those patients carried the exposure without knowing it. HIPAA requires notification within 60 days of discovery. The math doesn’t work.”

John Carberry, Solution Sleuth, Xcape, Inc.:

   “The ApolloMD data breach, which compromised the sensitive medical information of over 626,000 patients, serves as a stark warning that the healthcare industry has become a prime target for sophisticated extortionists globally. The Qilin ransomware group has been identified as the same Russian-linked entity behind the 2024 Synnovis attack. That incident disrupted London hospitals and reportedly led to at least one patient fatality, and they have now extended its “industrialized” extortion tactics to the U.S. healthcare system. Qilin’s impressive efficiency is underscored by its ability to exfiltrate 238GB of data, containing diagnoses and Social Security numbers, in just 48 hours, a speed that overwhelms conventional reactive defense strategies. The delayed revelation of the breach’s full extent, only recently reported to federal regulators, exposes the significant “visibility gap” inherent in managing third-party physician groups.

   “Security Operations Centers must understand that Qilin’s objective goes beyond mere financial gain; they leverage operational disruption and the considerable “shame value” associated with sensitive medical diagnoses to compel settlements. Qilin’s admitted involvement further emphasizes the persistent threat posed by ransomware groups to healthcare services and patient safety, echoing previous disruptive attacks on medical providers. The repercussions for patients can extend for years, even when services appear to be unaffected on the surface. Such patient information can be valuable to unscrupulous entities so further such misuses of the exfiltrated data are possible.

   “When ransomware can weaponize 600,000 medical records in a single weekend, it underscores the fact that “compliance” is just paperwork but cybersecurity is the lifeblood.”

Groups like Qilin highlights the fact that it’s not optional for organizations to have a robust defence strategy. It’s mandatory or they will simply become another statistic.