Full Report
On June 12, 2025, Qilin added ApolloMD to their darkweb leak site with a date of June 6. They claimed to have 238 GB of files. ApolloMD, headquartered in Georgia, is a business associate to hospitals and health systems, providing them with services to enhance clinical operations and patient care, and to optimize financial performance.... Source
Analysis Summary
# Incident Report: ApolloMD Data Compromise by Qilin Threat Group
## Executive Summary
ApolloMD, a healthcare business associate, experienced unauthorized access to its systems between May 22 and May 23, 2025. The threat actor, identified as Qilin, claimed to have exfiltrated 238 GB of data and listed ApolloMD on their dark web leak site in early June. The incident impacted 11 affiliated physician practices, exposing sensitive patient information including PHI, PII, and potentially Social Security Numbers.
## Incident Details
- Discovery Date: June 6, 2025 (When Qilin listed the data publicly, though internal unauthorized access occurred earlier)
- Incident Date: Unauthorized access occurred between May 22 – May 23, 2025
- Affected Organization: ApolloMD (and 11 associated physician practices)
- Sector: Healthcare (Business Associate)
- Geography: Headquarters in Georgia, USA
## Timeline of Events
### Initial Access
- Date/Time: May 22, 2025
- Vector: Not explicitly stated, but the result was unauthorized access.
- Details: Unauthorized access began, lasting until May 23, 2025.
### Lateral Movement
- Details: Not explicitly detailed in the provided summary, but implied due to the large volume of data claimed to be exfiltrated (238 GB).
### Data Exfiltration/Impact
- Date/Time: Claimed by Qilin on June 6, 2025, listing 238 GB of files.
- Details: Data involved patient names, DOBs, addresses, diagnosis information, provider names, dates of service, treatment information, health insurance information, and potentially Social Security Numbers for some individuals.
### Detection & Response
- Date/Time: September 15, 2025 (ApolloMD posted substitute notice)
- Details: ApolloMD posted a substitute notice on its website on September 15. Notifications to affected physician practices began as early as July 21, 2025, and patient notification letters were sent starting September 17, 2025.
## Attack Methodology
- Initial Access: Unknown, unauthorized access gained.
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified, but data collection implies internal reconnaissance occurred.
- Lateral Movement: Implied due to the scope of data exfiltration affecting associated practices.
- Collection: 238 GB of data collected, including PHI/PII.
- Exfiltration: Data was exfiltrated and threatened for release on the dark web by Qilin.
- Impact: Data breach involving sensitive patient records.
## Impact Assessment
- Financial: Unknown; ApolloMD is offering credit monitoring services, suggesting direct costs for remediation and notification.
- Data Breach: Sensitive Personal Information (PII) and Protected Health Information (PHI) belonging to patients of 11 practices. This includes names, DOBs, addresses, diagnosis, treatment info, insurance info, and potentially SSNs.
- Operational: Not specified, though compliance and patient relations efforts were initiated.
- Reputational: Affected ApolloMD and 11 associated physician practices (e.g., Pensacola Hospitalist Physicians).
## Indicators of Compromise
- Network indicators: Qilin darkweb leak site listing (defanged: `hxxps://databreaches[.]net/2025/09/26/apollomd-notifies-patients-of-11-physician-practices-affected-by-a-june-cyberattack/`)
- File indicators: Qilin claimed 238 GB of files; some screenshots suggested financial information was involved.
- Behavioral indicators: Unauthorized data access window between May 22–May 23, 2025.
## Response Actions
- Containment: Not explicitly detailed what containment steps were taken immediately post-discovery, but they managed to notify patients and post a substitute notice.
- Eradication: Not specified.
- Recovery actions: Affected patients offered complimentary credit monitoring services with CyberScout. Regulatory notifications were initiated (e.g., to NH AG).
## Lessons Learned
- The presence of a business associate (ApolloMD) creates third-party risk for numerous provider organizations (11 practices).
- The threat actor (Qilin) successfully exfiltrated a significant volume of sensitive data (238 GB).
- The timeline between unauthorized access (May 22-23) and public disclosure/internal notification (September) indicates a delay in comprehensive breach analysis or disclosure requirements.
## Recommendations
- Review and strengthen access controls and monitoring across all systems processing PHI, particularly for business associates.
- Conduct thorough assessments of vendor security posture, including containment and notification procedures required upon detection of unauthorized access.
- Ensure timely patient notification procedures align with regulatory requirements following breach confirmation.