Cyberattack on healthcare RCM vendor may have impacted 140K patients
A data breach on a South Carolina-based diagnostics company impacted nearly 140,000 patients a Feb. 6 report with the U.S. Department of Health and Human Services (HHS) data breach tracker revealed. However, the nature of the incident, which appears to involve the compromise of a third-party vendor’s network, remains a mystery.
In a report, SecurityWeek said the unauthorized access of records at the diagnostic company, Vikor Scientific, “came to light in November 2025” when an infamous ransomware gang posted a data trove for sale on the dark web.
Vikor Scientific—which now performs molecular pathogen detection under the name Vanta Diagnostics—was not the only listed victim. According to SecurityWeek, “affiliated diagnostic laboratory companies” KorPath and Korgene were also listed as sources of the data trove, implying a common source was the true source of the information being leaked.
In other words, cybercriminals with the group Everest did not target any of the above with its usual method of network breach followed by the deployment of ransomware that locks down systems. Instead, the true target may be Catalyst RCM, a technology vendor that manages billing and payments.
As SecurityWeek noted, Catalyst posted a data breach notice in February, detailing an incident it experienced as early as November 13, 2025, as the date when it was “made aware of suspicious activity related to certain information maintained within its secure file management system.”
It’s not clear if the dark web listing from Everest was how Catalyst became aware of the incident or if its network was shut down and data ransomed, as is common with an attack from this particular nefarious organization.
Notably, Everest did not mention Catalyst in its 12 GB bounty—just Vikor Scientific, Korgene and KorPath. However, all three may have shared data with Catalyst.
The companies did not respond to SecurityWeek’s request for more details, but HealthExec reached out for more information.
Scope of data breach is not clear
Healthcare breaches involving third-party vendors are not uncommon, and under federal law, the company responsible for securing the data is ultimately also responsible for notifying victims, even if their own network did not experience an intrusion.
The law stipulates that, by being stewards of protected health information, any data shared with and stolen from an affiliated vendor is ultimately the responsibility of the company that is the primary caretaker of it—in this case, the diagnostic firm Vikor Scientific and the Korgene and KorPath labs.
As SecurityWeek noted, Korgene and KorPath have yet to report a specific number of victims to the HHS data tracker, which could mean either they are delayed or all the data stemmed from Vikor Scientific.
Catalyst has also yet to report any specific number of victims, despite releasing a data breach notice offering impacted individuals resources to “help protect their information from possible misuse, should they feel it necessary to do so.”
This involved providing details on how victims can contact credit bureaus to have their accounts frozen, in addition to instructions on ways to report suspicious activity.
Catalyst said access credentials to its systems were compromised, leading to the data breach. The specifics of what was taken are unknown.
The total number of victims reported to HHS stands at 139,964.
HealthExec will update this story if we receive more information.
For more details on this case, read SecurityWeek’s coverage by clicking here.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.