Physicians to Children Data Breach Affects 9,536 Patients

On Oct. 24, 2025, Physicians to Children & Adolescents, a long-standing pediatric healthcare provider in Bardstown, Kentucky, reported a significant data breach. The data security incident may have exposed personally identifiable information (PII) and protected health information (PHI) of at least 9,536 current and former patients across the U.S.

According to reports, the breach was the result of a ransomware attack orchestrated by a group known as Cactus. The attackers claimed responsibility for the incident on the dark web, stating they had accessed and exfiltrated approximately 902 GB of sensitive data from the organization. The exposed information may include names, dates of birth, addresses, phone numbers, medical information and health insurance information.

The potential exposure of PII and PHI put individuals at risk of identity theft and medical fraud. The data breach was disclosed to the U.S. Department of Health and Human Services on Oct. 24, 2025.

Physicians to Children & Adolescents' response

In response to the ransomware attack, Physicians to Children & Adolescents took steps to notify affected individuals and comply with federal reporting requirements. While specific details about their internal response and any offered resources have not been publicly detailed, organizations in the healthcare sector typically review and enhance their cybersecurity measures following such incidents. They may also work with cybersecurity experts to investigate the breach and prevent further unauthorized access.

Individuals who believe they may be affected by this breach should remain vigilant for signs of identity theft or fraud. It is advisable to monitor credit reports, review medical statements for unfamiliar activity, and consider placing fraud alerts with credit bureaus. If patients receive a notification letter from the organization, it may contain additional instructions or resources, such as credit monitoring services.