Highlands Oncology Group, a provider of complete cancer care in six areas in Northwest Arkansas, recently announced a cyberattack that was initially discovered on June 2, 2025. A hacker accessed the Group’s system on January 21, 2025, and stayed in the system undiscovered until June 2, 2025, when the attacker deployed ransomware to encrypt files. Within those times, network access was intermittent, and patient information could have been viewed or stolen.
The analysis of files revealed that the files contained protected health information (PHI) including names, birth dates, passport numbers, driver’s license/state ID numbers, Social Security numbers, financial account data, credit/debit card numbers, medical treatment data, patient account numbers, medical record numbers, and/or medical insurance policy data. The types of information viewed or stolen differed from one person to another.
The data breach report submitted to the Maine Attorney General indicated that the personal data of 113,575 individuals was affected. Sending of breach notification letters began on August 1, 2025. Highlands Oncology Group offered free identity theft protection services to individuals who had their driver’s license numbers and/or Social Security numbers exposed. All affected people were instructed to stay alert against improper use of their data and should keep an eye on their accounts, credit reports, and explanation of benefits statements for indications of improper use of data.
Although Highlands Oncology Group did not mention the threat actor in the breach notification letters, the Medusa ransomware group announced that it is behind the attack. Medusa engages in double extortion, data theft, and ransom demands to stop the exposure of the stolen information and to give the data decryption keys. Medusa was the main topic of a joint advisory by the FBI, CISA, and MS-ISAC at the beginning of this year after attacking over 300 organizations, which include some healthcare entities. Medusa was responsible for the ransomware attack on DaVita, the kidney dialysis provider, at the start of 2025. Medusa listed Highlands Oncology Group on its data leak website temporarily and demanded a $700,000 ransom payment. The listing is no longer posted on the data leak site, which implies Highlands Oncology Group paid the ransom.
Highlands Oncology Group is one of the cancer care centers recently targeted by cybercriminals. In July 2025, a phishing attack impacted 26 cancer care centers that were affiliated with the Integrated Oncology Network. This is not Highlands Oncology Group’s first ransomware attack. The first attack happened in November 2023. A recent study by cybersecurity company Semperis showed that 77% of healthcare institutions, including HIPAA-compliant entities, encountered a ransomware attack in the last 12 months. 53% were successful, while 60% experienced several attacks.
Image credit: kwanchaift; AdobeStock
