Russian cybercrime group hits PBM with ransomware
On Oct. 27, Russia-based cybercrime group Qilin posted to the dark web claiming it had successfully hacked pharmacy benefit manager (PBM) MedImpact, with the group releasing screenshots of documents that appear to be billing invoices.
In reviewing the post, Cybernews said the snippets are “mostly financial operation details which don’t seem to contain extremely sensitive personal data.” The company later confirmed that what Qilin said was true, releasing a short statement about its ongoing investigation into the incident, which it said is being conducted with the “assistance of one of the nation’s leading cybersecurity firms and is notifying all applicable authorities.”
The PBM also confirmed that the attack involved the deployment of ransomware, and that at least part of its infrastructure is still down. It said it deployed containment measures upon noticing the breach, often involving taking all systems offline until the situation is assessed.
“MedImpact is currently working to restore impacted systems in a new environment that is segregated from the prior infrastructure and protected by multiple layers of defense. Due to these measures, as of today, pharmacy claims for all clients are now adjudicating,” the company wrote.
“The company apologizes for any disruption this issue may cause its clients and partners,” it added.
MedImpact serves health plans, employers and government programs by managing their prescription drug benefits. It impacts roughly 50 million patients; however, it’s unclear if any of them are affected by this breach.
As it stands, Qilin has yet to reveal anything that looks like it contains protected health information. Instead, it seems MedImpact's bank records were stolen. According to researchers at Cybernews, no “information about the patients who used the insurance” has been revealed.
Qilin causes chaos across the globe
Since making itself known in 2022, Qilin has become notorious in the cybercrime underground for its frequent, successful ransomware attacks on a variety of organizations across the globe. According to Cybernews, it’s responsible for 700 such attacks in 2025 alone—and counting.
The identity of the individual or individuals behind the gang is not known. Cybernews and other research firms say evidence points to Qilin being located in—and likely backed by—Russia.
Its number of victims only rises year over year, as the cybercrime cell shows no signs of slowing down.
An investigation into the MedImpact breach is ongoing. The data trove posted to the dark web contains 160GB of information.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.