Highlands Oncology data breach exposes information of over 110,000 individuals

Highlands Oncology Group said the data security incident it suffered earlier this year compromised the sensitive personal data of more than 110,000 individuals.

 

Based in Springdale, Arkansas, Highlands Oncology Group provides comprehensive cancer care services to patients across the region. The group has multiple clinics and are known for offering advanced treatment options, multi-disciplinary cancer teams, and more.

 

In a data security incident notice published on its website, Highlands said that on June 2, it became aware of a cyber attack affecting its internal network. The healthcare provider immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

It also took steps to secure the affected network and notified relevant law enforcement authorities about the incident.

 

“The forensic investigation determined that an unauthorised third party accessed Highlands’ computer network at times between January 21, 2025, and June 2, 2025, and encrypted some of its files. The investigation also determined that the third party may have accessed and acquired certain files from Highlands’ systems during this period,” Highlands said.

 

The compromise data included names, dates of birth, Social Security numbers, driver’s license/state identification numbers, passport numbers, credit/debit card numbers, financial account numbers, medical treatment information, medical record numbers, patient account numbers, and health insurance policy information.

 

The incident was reported to the Office of Maine Attorney General where Highlands said it has identified at least 113,575 individuals affected by the incident.

 

While the healthcare provider found no evidence of the compromise data being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. 

 

It has also offered one year of complimentary identity protection and credit monitoring services through TransUnion to all affected individuals.

 

 

In June, the Medusa ransomware group claimed responsibility for the cyber attack on Highlands and listed it as a victim on its data leak site. The group gave a deadline of July 27 for the healthcare provider to pay a ransom of $700,000, after which the group threatened to leak the stolen data.

 

Highlands did not comment on Medusa’s claims or its decision regarding the ransom payment.