What type of cyberattack occurred at Horizon Healthcare RCM?

The attack was identified as a ransomware incident involving both system encryption and data exfiltration. The attackers not only encrypted systems but also stole sensitive data from the company's networks.

What sensitive information was compromised in the Horizon Healthcare RCM breach?

The compromised data included internal Horizon numbers and customer numbers, patient identifiers and medical record numbers, names and addresses, Social Security numbers, dates of birth, driver's license numbers, passport numbers, payment card information, checking and financial account information, general health insurance claims processing information, and non-address contact information.

Did Horizon Healthcare RCM pay a ransom to the attackers?

While not explicitly confirmed, there are strong indications that Horizon Healthcare RCM may have paid a ransom. The company reports they have arranged for the party responsible to delete the copied information, and the incident has not appeared on any dark web leak sites or criminal forums, which typically occurs when ransom demands are not met.

How many patients were affected by the Horizon Healthcare RCM breach?

The number of affected individuals has not been disclosed by Horizon Healthcare RCM.

Why was there a six-month delay in notifying patients?

The reason for the six-month delay between the breach discovery on December 27, 2024, and patient notification on June 27, 2025, has not been explained by Horizon Healthcare RCM. This extended timeline raises questions about the company's incident response and notification procedures.

What type of company is Horizon Healthcare RCM?

Horizon Healthcare RCM is a billing management company that provides revenue cycle management services to multiple healthcare providers, handling patient billing and payment processing operations.

What should affected patients do to protect themselves?

Affected patients should monitor all financial accounts and credit reports for suspicious activity, consider placing fraud alerts or credit freezes with credit bureaus, be vigilant for medical identity theft, review all medical and insurance statements for unauthorized services, change passwords for healthcare portals and financial accounts, and report any suspicious activity to authorities and financial institutions.

How does this breach affect multiple healthcare providers?

Since Horizon Healthcare RCM serves multiple healthcare providers as a billing management company, the breach potentially affects patients from various medical practices and healthcare facilities that use their services, making this a significant supply chain security incident in healthcare.

What evidence suggests this was a paid ransom situation?

Several factors suggest a ransom payment occurred: the company's statement about arranging for data deletion by the responsible party, the absence of the stolen data on dark web leak sites or criminal forums where unpaid ransomware victims' data typically appears, and the attackers' apparent cooperation in agreeing to delete the exfiltrated information.

Incident

Horizon Healthcare RCM hit by ransomware attack exposing patient data

published: June 29, 2025

Learn More

Horizon Healthcare RCM, a billing management company serving multiple healthcare providers reports a ransomware attack between December 25 and December 27, 2024, exposing sensitive patient information.

The breach was discovered on December 27, 2024, but the company did not notify affected individuals until June 27, 2025, creating a six-month delay between discovery and public notification.

The attack's cause was identified as a ransomware incident involving both system encryption and data exfiltration. The company reports they have arranged for the party responsible for this matter to delete the copied information. This possibly means they have paid some ransom. The compromised data types included:

Internal Horizon numbers and customer numbers
Patient identifiers and medical record numbers
Names and addresses
Social Security numbers
Dates of birth
Driver's license numbers
Passport numbers
Payment card information
Checking and financial account information
General health insurance claims processing information
Non-address contact information

The number of affected individuals has not been disclosed.

The incident has not appeared on any dark web leak sites or criminal forums, which is additional evidence that the company negotiated with the threat actors and paid the demanded ransom. Cybersecurity experts warn that ransomware groups may retain copies of stolen data despite assurances of deletion, and organizations should not rely solely on criminal promises regarding data destruction.

Horizon Healthcare RCM hit by ransomware attack exposing patient data

Read More
Chapman & Roberts PA Law Firm reports data …
RansomHub gang claims breach of Mexican government's official …
Ransomware attack on college admission system exposes student …
Irish Office of the Ombudsman hit by ransomware …
ABC Legal Services reports cybersecurity incident, data breach