Everest Ransomware Attack on Catalyst RCM Exposes Vikor Scientific Patient Data
Everest ransomware claimed responsibility for a breach tied to Catalyst RCM, a third-party medical billing/revenue cycle management provider, resulting in exposure of data associated with diagnostic firm Vikor Scientific (now operating as Vanta Diagnostics) and affiliated labs. Reporting indicates suspicious activity was detected in Catalyst RCM’s secure file system in November 2025, with investigation finding misuse of an authorized login to access a server and copy data without permission. The incident was reported as affecting roughly 139,964–140,000 individuals, and Everest later posted the victim(s) to its Tor leak site and published allegedly stolen files after an apparent failure to reach payment.
Stolen data described across reporting includes a mix of personal, financial, and healthcare information, potentially including names, dates of birth, payment card data, and medical/diagnosis details; Everest also claimed theft of specific datasets (e.g., tens of thousands of PDFs totaling multiple gigabytes). Catalyst RCM reviewed the exposed information to determine impacted individuals and support notification efforts. Separate reporting on a ransomware-driven clinic shutdown at the University of Mississippi Medical Center describes a different, unrelated incident with no confirmed linkage to Everest or Catalyst RCM.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
HHS breach tracker lists Vikor incident affecting 139,964 people
By February 2026, the U.S. Department of Health and Human Services breach tracker listed Vikor Scientific as affected by the Catalyst RCM incident, with 139,964 individuals impacted. Reports noted the total could increase because other related entities had not yet separately reported to HHS.
Catalyst RCM issues breach notifications and offers credit monitoring
After completing its review, Catalyst RCM notified affected individuals about the incident and offered free credit monitoring and identity restoration services. The company said it was not aware of any identity theft or fraud resulting from the breach.
Catalyst RCM completes review of affected individuals
By December 12, 2025, Catalyst RCM had finished its investigation and identified the individuals affected by the breach. The review found that personal, medical, insurance, and payment-related information may have been exposed.
Everest adds Vikor and affiliated labs to leak site
In November 2025, the Everest ransomware group listed Vikor Scientific and its affiliated labs KorPath and Korgene on its Tor-based leak site, claiming responsibility for the attack. Reports said the group stole nearly 12 GB of documents.
Unauthorized access at Catalyst RCM leads to data theft
In early November 2025, Catalyst RCM discovered that an authorized login had allegedly been misused to access a secure file management server and copy files without permission. The incident affected data tied to Vikor Scientific, now Vanta Diagnostics, and affiliated labs including KorPath and Korgene.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
About 140K compromised in Vikor Scientific breach | SC Media
scworld.com
Open sourceEverest ransomware hits Vikor Scientific 's supplier, data of 140,000 patients stolen
securityaffairs.com
Open sourceteiss - News - Ransomware attack on medical billing provider impacted about 140,000 patients
teiss.co.uk
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Catalyst RCM Breach Impacts Diagnostic Lab Patients as Everest Claims Data Leak
*Catalyst RCM*, a Texas-based medical billing and coding/revenue cycle management firm, began notifying patients tied to multiple diagnostic laboratory clients after a hacking incident in November led to theft of sensitive health information. Reported exposed data includes medical details such as **diagnoses and treatments**, indicating potential compromise of protected health information (PHI) handled on behalf of client laboratories. The **Everest** ransomware group claimed responsibility for the intrusion and said it has published the stolen data on its leak site. The affected client organizations cited include **KorPath** (pathology testing), **Korgene** (molecular diagnostics), and **Vikor Scientific** (antibiotic resistance testing), with Korgene described as part of Vikor Scientific, which has rebranded as **Vanta Diagnostics**; KorPath also publicly notes partnerships with Vanta/Vikor for some testing services.
Mar 21, 2026
Ransomware and Data-Theft Incidents Impacting US Healthcare and Education Organizations
The University of Hawaiʻi Cancer Center confirmed a **ransomware-driven data breach** affecting its epidemiology division, with the potential exposure of data tied to up to **1.2 million individuals**. The university reported that attackers accessed files containing **SSNs and driver’s license numbers** sourced from historical Hawaiʻi DOT records and Honolulu voter registration data (dating back to 1998), as well as health-related research data connected to the **Multiethnic Cohort (MEC) Study** and other diet-and-cancer studies; the incident was discovered on **August 31, 2025**, and the university acknowledged it engaged with the threat actors while restoration and impact assessment were underway. Separately, a “cyber incident” caused a **five-school-day internet outage** at the Denmark School District in Wisconsin; the **INC Ransom** group claimed the victim on its leak site, alleging both **encryption** and theft of roughly **70.76 GB** of data, though the district had not publicly confirmed ransomware or data exfiltration. In the healthcare sector, **Insight Hospital and Medical Center** in Chicago reported unauthorized network access between **August 22 and September 11, 2025**, and the **Termite** group later claimed to have stolen and then **leaked ~360 GB** (about 900,000 files) of “confidential data,” including medical imaging files (e.g., `.dcm`), raising the likelihood of exposure of both identity data and protected health information.
Mar 21, 2026
University of Hawaii Cancer Center Ransomware Breach and Delayed Disclosure
The **University of Hawaii (UH) Cancer Center** disclosed that a ransomware intrusion affecting a single cancer research project led to the encryption of systems and the theft of a limited set of research files, including some legacy documents from the 1990s containing **Social Security numbers** used to identify study participants. UH reported the incident occurred in late August 2025 and said clinical operations and patient care were not impacted, but recovery and investigation were delayed due to the extent of encryption damage; UH also stated it engaged external experts, isolated affected systems, and negotiated with the attackers, including paying to obtain a decryptor and seeking assurances of deletion of stolen data. The disclosure drew scrutiny because UH reportedly notified the state legislature well after Hawaii’s **20-day breach reporting deadline**, and the university has not provided key details such as the specific research project, the number of affected individuals, or concrete measures proving the stolen data was not exposed after negotiations. Separate reporting on unrelated ransomware activity included **Everest** claiming a breach of **Nissan** with an alleged 900GB data theft and **Trellix** research describing **CrazyHunter** ransomware targeting Taiwan healthcare organizations; those items do not appear connected to the UH Cancer Center incident beyond being ransomware-related.
Mar 21, 2026