In a report filed with Maine’s Attorney General on June 27, Horizon disclosed that six state residents were impacted but did not provide a total number of affected individuals. As of Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights had not yet listed the incident on its breach portal, which logs healthcare data breaches affecting 500 or more people.
However, the scope of the incident may be broader. It remains unclear whether Horizon is notifying patients directly on behalf of these clients or whether each will report the breach independently.
In a public notice, Horizon explained that the breach was first detected on December 27, 2024, when ransomware locked access to some files. While systems were later restored, the company determined that certain data had also been copied without permission.
Horizon noted that it “arranged for the responsible party to delete the copied data,” indicating a likely ransom negotiation. Notices are being sent to affected individuals where possible.
The compromised data varies, but most records included a Horizon internal number, patient ID, or insurance claims data.
In some cases, more sensitive details were exposed, such as Social Security numbers, driver’s license or passport numbers, payment card details, or financial account information.
Despite the breach, Horizon stated that there have been no confirmed cases of identity theft linked to the incident.
The matter has been reported to federal law enforcement.
Multiple law firms have since announced investigations into the breach, raising the possibility of class-action litigation. This incident follows several high-profile breaches involving other RCM firms in recent months.
In May, Nebraska-based ALN Medical Management updated a previously filed breach report, raising the number of affected individuals from 501 to over 1.3 million. Similarly, Gryphon Healthcare disclosed in October 2024 that nearly 400,000 people were impacted by a separate attack.
Most recently, California-based Episource LLC revealed in June that a ransomware incident in February exposed the health information of roughly 5.42 million individuals. That event now ranks as the second-largest healthcare breach in the U.S. so far in 2025.
Experts say that RCM vendors continue to be lucrative targets for cybercriminals due to their access to vast stores of healthcare data and their central role in financial operations.
Bob Maley, Chief Security Officer at Black Kite, noted that targeting these firms offers hackers outsized rewards. “Hitting one RCM provider can affect dozens of healthcare facilities, exposing massive amounts of data and disrupting financial workflows all at once,” he said.
Maley warned that many of these firms are still operating under outdated cybersecurity models. “They’re stuck in a compliance mindset, treating risk in vague terms. But boards want to know the real-world financial impact,” he said.
He also emphasized the importance of supply chain transparency. “These vendors play a crucial role for hospitals, but how well do they know their own vendors? Relying on outdated assessments leaves them blind to emerging threats.”
Maley concluded that until RCM providers prioritize cybersecurity as a business imperative—not just an IT issue—the industry will remain vulnerable to repeating breaches.
