Full Report
There is an update to a breach previously reported on DataBreaches.net. ApolloMD describes itself as a private, independent group of physicians that partners with more than 100 hospitals nationwide to provide integrated, multispecialty physician, Ambulatory Payment Classifications (APCs), and practice management services. As such, they are business associates of HIPAA-covered entities. This week, the Georgia-based... Source
Analysis Summary
# Incident Report: ApolloMD Data Breach and Qilin Ransomware Attack
## Executive Summary
In May 2025, ApolloMD, a Georgia-based physician management group and HIPAA Business Associate, was targeted by the Qilin ransomware group. The incident resulted in the exfiltration of approximately 238 GB of sensitive data, including the Protected Health Information (PHI) and Social Security numbers of 626,540 patients across 11 managed physician practices. While public notification occurred in late 2025, the full scale of the breach was only officially reported to federal regulators in February 2026.
## Incident Details
- **Discovery Date:** June 12, 2025 (via threat actor leak site)
- **Incident Date:** May 22, 2025 – May 23, 2025
- **Affected Organization:** ApolloMD (and 11 subsidiary physician practices)
- **Sector:** Healthcare (Physician Practice Management)
- **Geography:** Georgia, USA (Nationwide impact)
## Timeline of Events
### Initial Access
- **Date/Time:** May 22, 2025
- **Vector:** Not publicly disclosed (Qilin typically utilizes spear-phishing or exploited VPN/RDP credentials)
- **Details:** The intrusion began and spanned a 48-hour period.
### Lateral Movement
- **Details:** Attackers navigated the network to access systems containing practice management services and patient records for over 100 partner hospitals.
### Data Exfiltration/Impact
- **Exfiltration:** Threat actor (Qilin) claimed to have stolen 238 GB of data.
- **Impact:** Compromise of PHI and PII for over 600,000 individuals.
### Detection & Response
- **Detection:** While internal detection dates aren't confirmed, the breach became public knowledge when Qilin listed ApolloMD on their dark web leak site on June 12, 2025.
- **Client Notification:** Affected physician groups were notified between July 21 and Sept 11, 2025.
- **Public/Patient Notification:** Letters were mailed on Sept 17, 2025; substitute website notice posted Sept 29, 2025.
- **Regulatory Reporting:** HHS was formally notified in February 2026.
## Attack Methodology
- **Initial Access:** Likely compromised credentials or vulnerability exploitation (consistent with Qilin TTPs).
- **Persistence:** Not disclosed.
- **Collection:** Gathering of 238 GB of practice management and patient data.
- **Exfiltration:** Staging and removal of files; five screenshots were posted as proof of concept (POC).
- **Impact:** Data theft and extortion. The use of encryption (ransomware) was not confirmed by ApolloMD in their substitute notice, though the threat actor is a known ransomware-as-a-service (RaaS) entity.
## Impact Assessment
- **Financial:** Potential HIPAA fines due to delayed reporting; costs for credit monitoring services for 626,540 victims.
- **Data Breach:** Compromise of Names, DOBs, Addresses, Diagnoses, Provider names, Treatment info, Insurance info, and Social Security numbers.
- **Operational:** Management of data for 11 distinct LLCs/physician practices was directly impacted.
- **Reputational:** Significant public visibility via DataBreaches.net and dark web leak sites.
## Indicators of Compromise
- **Network indicators:** None disclosed in the report (defanged context: typically associated with `qilin[.]re` or related onion domains).
- **Behavioral indicators:** Large-scale data egress (238 GB) over a 24-48 hour window.
## Response Actions
- **Containment:** Secured affected systems (specific technical steps not disclosed).
- **Eradication:** Investigation into the scope of the data accessed.
- **Recovery:** Notification process for 11 primary physician practices and over 600k patients.
- **Compliance:** Filed late-stage reporting with the Department of Health and Human Services (HHS).
## Lessons Learned
- **Reporting Timelines:** There was a significant gap (approx. 5 months) between patient notification and official HHS reporting, potentially violating HIPAA Breach Notification Rule requirements.
- **Third-Party Risk:** As a business associate, ApolloMD’s breach highlights the "nexus point" risk where a single provider's compromise affects multiple hospital systems and practices.
## Recommendations
- **MFA Implementation:** Ensure Multi-Factor Authentication is enforced across all remote access points to thwart Qilin's common entry methods.
- **Egress Monitoring:** Implement alerts for large outbound data transfers to detect exfiltration in real-time.
- **Incident Response Planning:** Review and synchronize the timeline between discovery, victim notification, and regulatory filing to ensure legal compliance.
- **Data Minimization:** Review retention policies for patient data within practice management systems to reduce the "blast radius" of a potential theft.