Data breach affecting 11 physician practices confirmed to impact 627K patients
A cyberattack on a Georgia-based integrated practice management services company, first revealed in September 2025, was said to have impacted 11 provider practice customers. At the time the full scope of the incident was unclear, but now a new report to the U.S. Department of Health and Human Services’ (HHS) data breach tracker shows that records from 626,540 patients were exposed.
ApolloMD, a physician-owned company in Atlanta that provides services such as patient and clinician scheduling optimization and automated monitoring of uncompensated care, began notifying those impacted in September, but the full number of people whose personal data was accessed or taken during the breach was not revealed until the Feb. 10 public filing.
It’s typical that an incident is made public before an official number is reported, as there is a necessary investigation into any cyberintrustion to gather facts such as the vector and duration of the attack, what files were accessed and more.
ApolloMD did say in September that the initial data breach occurred May 22 to 23, 2025, and that files containing protected health information on patients at its customers' clinics were likely accessed by hackers.
Potentially stolen information, as reported at the time, included names, addresses, dates of birth, provider names, dates of services and full details on care encounters, including diagnosis, treatments and insurance information.
It’s also possible that some had their Social Security numbers exposed, ApolloMD confirmed.
The company said it notified customers about the breach on July 21, 2025 and began sending letters to impacted patients in September, which included the customary credit protection required of a HIPAA-covered entity.
In this case, while the practices are legally responsible for their own patient data, ApolloMD sent out notifications on their behalf. Affected clinics included:
- Passaic Hospitalist Services
- Passaic River Physicians
- Pensacola Hospitalist Physicians
- Broad River Physicians Group
- Olive Branch Emergency Physicians
- Aurora Emergency Physicians
- The Bortolazzo Group
- Methodist University Emergency Physicians
- Trinity Emergency Physicians
- Lorain Emergency Physicians
- Pennsylvania Hospitalist Group
Infamous ransomware gang claims credit
The nature of the cyberattack was never revealed, but the report with HHS confirmed it was a “network intrusion,” which typically means cybercriminals gained direct access to files. This could, and often does, involve the deployment of ransomware—however, ApolloMD did not say whether ransomware was involved, nor if a ransom was demanded or paid to unlock its data.
That data did make its way onto the dark web shortly after the data breach was said to occur, with infamous cybercrime cell Qilin taking credit for the attack. The group promised to release the data, presumably to the public or a potential buyer if a ransom wasn’t paid.
It was never confirmed whether the claim made by Qilin was true. It’s not clear if protected health information was released to a nefarious actor or the public, given the secretive nature of the dark web.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.