Catalyst RCM Data Breach Exposes PHI and PII

On Nov. 13, 2025, Catalyst RCM, a U.S.-based revenue cycle management company serving healthcare providers, discovered suspicious activity within its secure file management system.

The incident occurred between Nov. 8 and Nov. 9, 2025, when an unauthorized individual used valid login credentials to access a secure server managed by Catalyst RCM. This server contained sensitive files related to medical billing and coding services provided to Vikor Scientific (now operating as Vanta Diagnostics), KorPath and Korgene diagnostic laboratories.

On Nov. 13, 2025, the Everest ransomware group claimed responsibility for the attack, announcing on a dark web forum that they had obtained 9.39 GB of internal data from Vikor Scientific and intended to publish it within five to six days.

The information exposed included personally identifiable information (PII) and protected health information (PHI) such as patient names, contact information, dates of birth, health insurance information, provider names, internal patient identification numbers, dates of service, medication information, and treatment and/or diagnostic information.

According to disclosures filed with the California Attorney General and the Vermont Attorney General, approximately 88 Rhode Island residents were among those impacted, with the total number of affected individuals likely higher across multiple states. The company has also posted a notice of data event on its website.

Catalyst's response

Upon learning of the breach, Catalyst notified its business partners and began a comprehensive review of its protocols, policies and procedures to strengthen security and reduce the likelihood of a similar event occurring in the future. The company has worked to identify all individuals whose information was involved and is sending direct notifications to those affected.

To help protect impacted individuals, Catalyst RCM is offering complimentary identity theft protection services through IDX. These services include up to 24 months of credit and CyberScan monitoring, a $1 million insurance reimbursement policy and fully managed identity theft recovery services. Affected individuals must enroll themselves in the services using the instructions and enrollment code provided in their notification letter.

Given the breach involved unauthorized access using valid credentials, affected individuals are encouraged to remain vigilant by monitoring account statements, reviewing explanation of benefits and checking free credit reports for suspicious activity or errors.

Additional steps such as placing a fraud alert or credit freeze with the major credit bureaus are also recommended.