A May 2025 ransomware attack on ApolloMD Business Services — a Georgia-based healthcare management company serving over 125 physician practices across 18 states — has now officially been confirmed to have exposed the sensitive personal and medical information of 626,540 individuals. The full scope of the breach only reached the U.S. Department of Health and Human Services breach portal in February 2026, nearly nine months after the initial attack.
What Was Stolen
Between May 22 and May 23, 2025, unauthorized attackers gained access to ApolloMD’s IT systems and made off with files containing both personally identifiable information (PII) and protected health information (PHI). The exposed data includes names, addresses, dates of birth, diagnosis information, provider names, dates of service, treatment information, and health insurance data. For a subset of individuals, Social Security numbers were also compromised.
The Qilin ransomware group claimed responsibility for the attack in June 2025, stating they had exfiltrated approximately 238 GB of data. Qilin has been one of the most active ransomware groups of the past year, having targeted hundreds of organizations globally including the UK’s National Health Service.
A Nine-Month Gap That Left Victims Exposed
ApolloMD began notifying affected physicians and practices between July and September 2025. Individual patients started receiving notification letters on September 17, 2025 — four months after the attack. However, the full 626,540-person count was not officially reported to HHS until February 2, 2026.
That nine-month window of uncertainty is not just troubling — it is potentially catastrophic for victims. During that time, anyone affected could have had fraudulent medical claims filed on their behalf, had prescriptions written using their identity, or had their tax returns stolen using their Social Security numbers. Credit monitoring, which ApolloMD is offering to those whose SSNs were exposed, only catches financial fraud after it occurs. It does nothing to prevent medical identity theft.
Healthcare: The Softest Target in Cybersecurity
The ApolloMD breach is not an isolated incident — it is part of a systemic pattern. The healthcare sector continues to be one of the most heavily targeted industries because it combines high-value sensitive data with legacy infrastructure, constrained security budgets, and organizations that cannot afford operational downtime. Until the industry collectively invests in robust, proactive cybersecurity — and regulators enforce faster and more transparent breach notification standards — patients will continue to be the ones who pay the price.
