BMG of Kansas Data Breach Exposes PHI of 1,327 Individuals

BMG of Kansas Inc., a family-owned contract manufacturer based in Hesston, Kansas, disclosed a data breach that affected 1,327 individuals in the United States. The breach was caused by a ransomware attack.

The breach was reported to the U.S. Department of Health and Human Services on Feb. 26, 2026.

What happened in the BMG data breach

On Nov. 10, 2025, a ransomware group known as Qilin posted a claim on the Tor dark web network saying it had obtained data belonging to BMG of Kansas Inc. Tor is an anonymous online network that is commonly used by criminal groups to post stolen data and make ransom demands to their victims.

The exact dates of when the breach first occurred, when the company discovered the intrusion and when affected individuals were notified have not been shared in available public records.

The company's regulatory filing with HHS came more than three months after Qilin's dark web claim in November 2025. The specific actions BMG of Kansas Inc. took between the dark web posting and the regulatory filing have not been detailed in available public disclosures.

Because the incident was reported to the U.S. Department of Health and Human Services, it involved protected health information. Protected health information is health-related data covered under federal privacy law, and it can include medical records, health insurance numbers, treatment histories, diagnosis codes and other sensitive health details.

The specific types of personal or health information exposed in this breach have not been shared in the available public records.

BMG's response to the breach

Details about the company's broader response to this incident have been limited in available public records.

Those who believe their information may have been involved in the breach can contact BMG directly at 620-327-4038 for more information about the incident and any resources that may be available. This phone number is listed on the company's website for direct inquiries.