A cyberattack on practice management provider ApolloMD has led to the exposure of sensitive health data from several affiliated physician practices.
What happened
ApolloMD Business Services, a Georgia-based provider of physician and practice management services, has disclosed a cybersecurity incident affecting multiple physician practice clients. Suspicious activity was first detected on May 22, 2025. A third-party investigation later confirmed that an unauthorized party had accessed ApolloMD’s network between May 22 and May 23.
During that brief window, files containing electronic protected health information (ePHI) were likely accessed or stolen. The compromised information included patient names, dates of birth, treatment and diagnosis data, provider names, and insurance details. A smaller subset of individuals also had their Social Security numbers exposed.
Going deeper
While ApolloMD has not shared specifics about the attack, the Qilin ransomware group claimed responsibility and listed ApolloMD on its dark web leak site in June 2025. The group claimed to have stolen a large volume of data and threatened to release it if a ransom was not paid by June 16. At the time of writing, Qilin's leak site is inaccessible, and it remains unclear whether the data was published.
Qilin has been among the most active ransomware groups in 2025, reportedly claiming more than twice as many victims as any other group through August. However, cybersecurity experts caution that ransomware actors often exaggerate or fabricate claims to apply pressure on victims.
Between July 21 and September 11, ApolloMD notified affected practices and began mailing notification letters to impacted individuals on September 17. Those whose Social Security numbers were exposed are being offered complimentary credit monitoring and identity protection services. The breach has not yet appeared on the U.S. Department of Health and Human Services’ Office for Civil Rights public breach portal.
What was said
ApolloMD has not disclosed the total number of individuals impacted by the breach. The company is handling patient notifications on behalf of several affiliated physician groups, including:
Passaic Hospitalist Services LLC, Pensacola Hospitalist Physicians LLC, Broad River Physicians Group LLC, Olive Branch Emergency Physicians LLC, Aurora Emergency Physicians LLC, Passaic River Physicians LLC, The Bortolazzo Group LLC, Methodist University Emergency Physicians PLLC, Trinity Emergency Physicians LLC, Lorain Emergency Physicians LLC, and Pennsylvania Hospitalist Group LLC.
The breach affected patients treated by these and other ApolloMD-affiliated practices. The company noted that it took immediate steps to secure its systems and continues to actively monitor for any misuse of the compromised data.
FAQs
What is a business associate in the context of HIPAA?
A business associate is a third-party organization that performs functions involving protected health information (PHI) on behalf of a covered entity, such as a hospital or physician group.
What is electronic protected health information (ePHI)?
ePHI refers to any PHI that is created, stored, transmitted, or received in electronic form, including medical histories, lab results, insurance details, and billing records.
Who is responsible for notifying patients after a breach involving a business associate?
Under HIPAA, the business associate must notify the covered entity, which is then responsible for ensuring that patients are informed. In this case, ApolloMD is handling notifications on behalf of its clients.
What happens if a ransomware group’s claims turn out to be false?
Even when ransomware groups exaggerate or fabricate claims, organizations are still required to investigate the incident and follow breach notification laws if data exposure cannot be ruled out.
Why hasn’t the breach been listed on the HHS breach portal yet?
There may be delays between incident discovery, investigation, and formal breach reporting. ApolloMD may still be determining the total number of individuals affected before reporting to HHS.
Farah Amod
