3rd Party Risk Management
,
Data Breach Notification
,
Data Security
Horizon Healthcare RCM Hints at Paying Ransom in Data Theft Incident
Horizon Healthcare RCM is the latest revenue cycle management software vendor to report a health data breach involving ransomware and data theft. The firm’s breach notification statement suggests that the company paid a ransom to prevent the disclosure of its stolen information.
Horizon Healthcare RCM told Maine’s attorney general in a breach report on June 27 that the incident affected six residents of that state. The company omitted in its breach report to Maine regulators a total for the number of people affected overall. As of Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights’ HIPAA Breach Reporting Tool website listing major health data breaches affecting 500 or more individuals did not yet show a report from Horizon Healthcare RCM.
But the incident appears to potentially affect a long list of Horizon Healthcare RCM clients. The Indiana-based company’s website spotlights about a dozen of Healthcare Horizon RCM’s “most rewarding client partnerships” involving its revenue cycle management solutions.
Those clients spotlighted include a mix of large healthcare systems, hospitals, specialty practices including Ascension Health, Adfinitas Health, Bon Secours Health System, Crook County Medical Services District, Ensemble Health Partners, Franciscan Alliance, Guthrie Lourdes Hospital, Methodist Hospitals, Pinnacle Wound Care, TeleCare Pharmacy and The Podiatry Care Center.
Horizon Healthcare RCM did not immediately respond to Information Security Media Group’s request for additional details about the data security incident, including the number of clients and individual patients affected by the incident, and whether Horizon Healthcare RCM will be handling patient breach notification on behalf of all the affected clients.
As of Monday none of the clients spotlighted on Horizon Healthcare RCM’s website appeared to have yet reported to federal or state regulators breaches involving the company’s ransomware incident.
Ransom Payment?
In a breach notice and frequently asked questions posted on Horizon Healthcare RCM’s website, the company said that on Dec. 27, 2024, it learned “that a computer virus was used to lock access to some files stored on our computer network.”
In response, Horizon Healthcare RCM said it “securely restored” its systems and took steps to determine what occurred. Some files were “temporarily locked” and later found to be “copied without permission,” the company said.
While the company didn’t admit to paying a ransom, it said, “We arranged for the party responsible for this matter to delete the copied information and are sending notices directly to patients where possible.”
The most common types of information potentially compromised were an internal Horizon number, customer number, or other patient identifier in conjunction with general health insurance claims processing information. In some circumstances, a medical record number was also affected.
“In a small number of instances, non-address contact information, date of birth, Social Security number, driver’s license number, passport number, payment card information, or checking or financial account information were identified,” Horizon Healthcare RCM said.
“Horizon has no indication of an individual experiencing verified identity theft or fraud as a result of this incident,” the company said. The firm also said it reported the incident to federal law enforcement.
As of Monday, several law firms had issued public statements saying they are investigating the Horizon Healthcare RCM hack for potential class action litigation.
Horizon Healthcare RCM is the latest of several other revenue cycle management software and related services firms reporting health data breaches involving hacking incidents within the past several months.
ALN Medical Management, a revenue cycle management firm based in Nebraska, in May updated a breach report first filed to HHS OCR a year earlier, in May 2024, regarding a March 2024 hacking incident. Initially, ALN reported the hack with a placeholder estimate of 501 people affected, but in May the company told HHS OCR the incident affected 1.32 million people (see: Revenue Cycle Management Firm’s Data Breach Total Soars).
Last October, Texas-based revenue cycle management firm Gryphon Healthcare also reported to regulators a hack that affected nearly 400,000 individuals (see: Revenue Cycle Vendor Notifying 400,000 Patients of Hack).
More recently, several other vendors that offer similar software and services also have reported massive health data breaches related to hacks.
That includes California-based medical coding and risk adjustment services firm Episource LLC reporting to HHS OCR on June 6 that a ransomware hack discovered in February affected the protected health information of nearly 5.42 million people (see: Breach Roundup: Chinese Hackers Salt Typhoon Hit Visasat).
As of Monday, the Episource hack is the second-largest health data breach posted to the HHS OCR website so far in 2025.
Getting ‘Real’
Some experts said revenue cycle management firms and related software and services companies that serve the healthcare sector are often favorite targets for hackers.
“Frankly, I’m not surprised in the least to see another software vendor in the healthcare space get hit,” said Bob Maley, chief security officer at cybersecurity firm of Black Kite.
“It follows a pattern we’ve seen for years. Attackers are all about efficiency, and these RCM companies are a goldmine,” he said.
“Hitting one of them is like poisoning a town’s water supply, suddenly you’ve impacted dozens of hospitals and clinics that all drink from the same well. You get a massive trove of patient data and disrupt the critical financial operations for multiple organizations in one clean shot,” he said.
“For an attacker, the return on that single effort is huge.”
One of the top issues contributing to these incidents is that “too many of these companies are still stuck fighting yesterday’s war,” he said. “They treat security as a compliance drill, but that’s like trying to win a chess match by only playing checkers. It just doesn’t work.”
If they want to survive, “they need a wake-up call,” he said. “First, they have to stop talking about risk in vague colors like ‘red, yellow and green,'” he said.
“The boardroom doesn’t speak in colors; it speaks in dollars and cents. They need to be able to answer the question, ‘What is the probable financial impact of this risk?’ Anything less is just guesswork,” he said.
Second, they have to “get real” about their own supply chain, Maley said.
“These vendors are a critical supplier to hospitals, but who are their suppliers? Relying on a questionnaire to vet them is like driving down the freeway by only looking in the rearview mirror. You’re completely blind to the truck barreling down on you in the next lane. Until they treat security as a fundamental part of the business, not just an IT line item, we’re just going to be having this same conversation when the next one gets breached.”
