Catalyst RCM Breach Impacts Diagnostic Lab Patients as Everest Claims Data Leak
Catalyst RCM, a Texas-based medical billing and coding/revenue cycle management firm, began notifying patients tied to multiple diagnostic laboratory clients after a hacking incident in November led to theft of sensitive health information. Reported exposed data includes medical details such as diagnoses and treatments, indicating potential compromise of protected health information (PHI) handled on behalf of client laboratories.
The Everest ransomware group claimed responsibility for the intrusion and said it has published the stolen data on its leak site. The affected client organizations cited include KorPath (pathology testing), Korgene (molecular diagnostics), and Vikor Scientific (antibiotic resistance testing), with Korgene described as part of Vikor Scientific, which has rebranded as Vanta Diagnostics; KorPath also publicly notes partnerships with Vanta/Vikor for some testing services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Catalyst RCM begins notifying affected patients and updates security measures
By 2026-02-10, Catalyst RCM was notifying patients of multiple diagnostic laboratory clients about the breach. The company also said it had reviewed and updated its protocols, policies, and procedures following the incident.
Everest ransomware gang claims Catalyst-linked lab data theft
The Everest ransomware group claimed responsibility for the incident and listed KorPath, Korgene, and Vikor Scientific on its leak site as victims. Everest said the stolen data was published after the organizations missed its deadline and had been redistributed to other forums and leak databases.
Catalyst RCM detects suspicious activity
Catalyst RCM reported identifying suspicious activity in its environment on 2025-11-13, leading to investigation of the unauthorized server access. The company later determined the intrusion had occurred several days earlier.
Attackers access Catalyst RCM server and copy patient data
Catalyst RCM said attackers used valid credentials to access a server between 2025-11-08 and 2025-11-09 and copied data without authorization. The stolen information reportedly included diagnoses, medical treatments, medical records, and billing information tied to multiple diagnostic laboratory clients.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Everest Ransomware Attack on Catalyst RCM Exposes Vikor Scientific Patient Data
**Everest ransomware** claimed responsibility for a breach tied to *Catalyst RCM*, a third-party medical billing/revenue cycle management provider, resulting in exposure of data associated with diagnostic firm **Vikor Scientific** (now operating as **Vanta Diagnostics**) and affiliated labs. Reporting indicates suspicious activity was detected in Catalyst RCM’s secure file system in November 2025, with investigation finding misuse of an authorized login to access a server and copy data without permission. The incident was reported as affecting roughly **139,964–140,000 individuals**, and Everest later posted the victim(s) to its Tor leak site and published allegedly stolen files after an apparent failure to reach payment. Stolen data described across reporting includes a mix of **personal, financial, and healthcare information**, potentially including names, dates of birth, payment card data, and medical/diagnosis details; Everest also claimed theft of specific datasets (e.g., tens of thousands of PDFs totaling multiple gigabytes). Catalyst RCM reviewed the exposed information to determine impacted individuals and support notification efforts. Separate reporting on a ransomware-driven clinic shutdown at the **University of Mississippi Medical Center** describes a different, unrelated incident with no confirmed linkage to Everest or Catalyst RCM.
Mar 21, 2026
Healthcare Data Breaches and Patient Record Exposure at Providers and Vendors
Multiple healthcare entities reported **unauthorized access and patient data exposure**, with incidents spanning direct provider compromises and third-party vendor breaches. **Insight Hospital and Medical Center (Chicago)** disclosed suspicious activity in its IT environment, with investigators confirming **unauthorized network access from Aug 22 to Sep 11, 2025**; the organization said the review is ongoing but potentially impacted data includes **names, DOB, SSNs, passport numbers, financial account data, treatment information, and insurance details**. Two extortion groups publicly claimed responsibility: **LockBit** alleged theft of ~`200 GB` and **Termite** claimed `360 GB`, stating it leaked data in late February 2026. In France, attackers stole about **15.8 million administrative files** after breaching health-ministry software supplier **Cegedim Santé**, impacting its *MonLogicielMedical (MLM)* product used by thousands of doctors; the stolen data reportedly included **identity and contact details**, and in a smaller subset (~**165,000** files) **free-text doctors’ notes** that in limited cases contained sensitive medical-history details. Separately, **OCAT, LLC d/b/a Evoke Wellness at Hilliard** updated a breach notification describing **unauthorized network activity** and potential access to patient information; reporting also tied the matter to an **insider misuse** investigation in which a former employee allegedly accessed and sold patient data, though public filings contained **inconsistent timelines** about when the underlying incident occurred and when it was discovered.
Mar 25, 2026
Ransomware and Data-Theft Incidents Impacting US Healthcare and Education Organizations
The University of Hawaiʻi Cancer Center confirmed a **ransomware-driven data breach** affecting its epidemiology division, with the potential exposure of data tied to up to **1.2 million individuals**. The university reported that attackers accessed files containing **SSNs and driver’s license numbers** sourced from historical Hawaiʻi DOT records and Honolulu voter registration data (dating back to 1998), as well as health-related research data connected to the **Multiethnic Cohort (MEC) Study** and other diet-and-cancer studies; the incident was discovered on **August 31, 2025**, and the university acknowledged it engaged with the threat actors while restoration and impact assessment were underway. Separately, a “cyber incident” caused a **five-school-day internet outage** at the Denmark School District in Wisconsin; the **INC Ransom** group claimed the victim on its leak site, alleging both **encryption** and theft of roughly **70.76 GB** of data, though the district had not publicly confirmed ransomware or data exfiltration. In the healthcare sector, **Insight Hospital and Medical Center** in Chicago reported unauthorized network access between **August 22 and September 11, 2025**, and the **Termite** group later claimed to have stolen and then **leaked ~360 GB** (about 900,000 files) of “confidential data,” including medical imaging files (e.g., `.dcm`), raising the likelihood of exposure of both identity data and protected health information.
Mar 21, 2026