Highlands Oncology Data Breach Affects 113,000 Patients

On June 2, 2025, Highlands Oncology Group PA, based in Northwest Arkansas, discovered a cyberattack that compromised the personal information of more than 113,000 individuals in the United States, including six in Maine.

An investigation revealed unauthorized access to the company’s computer network between January 21 and June 2, 2025. During this period, a threat actor known as MEDUSA infiltrated Highlands Oncology’s systems, encrypted files, and is believed to have accessed and acquired sensitive data.

The exposed information includes personally identifiable information (PII) and protected health information (PHI): names, Social Security numbers, driver’s license numbers, passport numbers, electronic or digital signatures, employee identification numbers, financial account information, medical information, and health insurance details.

On June 19th, the MEDUSA ransomware group publicly claimed responsibility for the attack, posting sample screenshots and threatening to publish stolen data within days on the dark web.

The incident was reported to the Maine Attorney General’s office on August 1, 2025, and Highlands Oncology Group began notifying affected individuals in writing on the same day.

The company has also published a detailed disclosure for the public on their website.

Highlands Oncology Group's response

Highlands Oncology Group is offering a complimentary one-year membership to Experian IdentityWorks Credit 3B, which provides credit monitoring, identity restoration services, and up to $1 million in identity theft insurance. Affected individuals are encouraged to enroll in this service and remain vigilant by reviewing account statements and monitoring credit reports for suspicious activity.

Given the nature of the breach—specifically, the involvement of ransomware and the theft of sensitive PII and PHI—individuals should consider placing fraud alerts or credit freezes with the major credit bureaus.

Individuals are also advised to file a police report if they experience identity theft or fraud and to consult resources provided by the Federal Trade Commission for additional guidance.