Highlands Oncology Group discloses ransomware attack impacting over 113,000 patients

Highlands Oncology Group, a leading cancer care provider in Northwest Arkansas, has confirmed a significant data breach following a ransomware attack that exposed the personal and medical information of more than 113,000 individuals. The incident, first detected on June 2, 2025, revealed that an unauthorized actor had accessed the organization’s network as early as January 21 and remained undetected for more than four months.

According to a breach notification submitted to the Maine Attorney General, the attacker intermittently accessed the network until deploying ransomware to encrypt files in early June. A subsequent forensic investigation determined that the compromised data included a wide range of sensitive personal and protected health information. The exposed details varied by individual and may have included names, dates of birth, Social Security numbers, driver’s license or passport numbers, medical treatment records, insurance policy details, and financial account data.

Highlands began notifying affected individuals by mail on August 1, 2025. Those whose Social Security numbers or government-issued ID information were compromised are being offered complimentary identity theft protection services. All individuals have been urged to monitor their financial accounts, credit reports, and medical benefits statements for suspicious activity.

While the official notification did not name the attacker, the Medusa ransomware group has claimed responsibility for the breach. Known for its double extortion tactics, Medusa is believed to have stolen patient data in addition to encrypting files and demanded a $700,000 ransom to prevent public disclosure. Highlands Oncology Group was briefly listed on Medusa’s data leak site, but the listing has since been removed, indicating a ransom may have been paid. Highlands has not confirmed whether any payment was made.

This incident marks the second ransomware attack on Highlands in less than two years. The organization was previously targeted in November 2023. It also comes amid a broader rise in cyberattacks on healthcare providers, particularly those in oncology services. Just last month, a phishing campaign affected 26 cancer care facilities affiliated with the Integrated Oncology Network.

The Medusa group has increasingly focused on healthcare institutions, prompting a joint security advisory earlier this year from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The group has been linked to more than 300 cyberattacks globally, including a high-profile breach at kidney dialysis provider DaVita.

A recent survey conducted on behalf of cybersecurity firm Semperis found that 77% of healthcare organizations experienced ransomware attacks over the past year, with over half reporting multiple incidents. The persistent threat underscores the critical need for enhanced cybersecurity protocols across the healthcare sector.