A ransomware group infiltrated the Arkansas-based healthcare provider's systems for over four months before detection.
What happened
Highlands Oncology Group PA, based in Northwest Arkansas, discovered on June 2, 2025, that its computer systems had been breached. The investigation determined that unauthorized access occurred between January 21 and June 2, 2025. During this time, the ransomware group MEDUSA accessed the network, encrypted files, and likely exfiltrated sensitive data belonging to more than 113,000 individuals across the U.S., including six in Maine.
The breach exposed a wide range of personally identifiable information (PII) and protected health information (PHI), including names, Social Security numbers, driver’s license and passport numbers, financial account details, digital signatures, and medical and insurance records.
Going deeper
On June 19, 2025, the MEDUSA ransomware group claimed responsibility for the attack. They posted screenshots of stolen files and threatened to leak the full dataset on the dark web. The breach was officially reported on August 1, 2025, the same day affected individuals began receiving written notification from Highlands Oncology Group.
The company published a disclosure on its website and launched a response plan that includes offering impacted individuals a one-year subscription to Experian IdentityWorks Credit 3B. The service includes credit monitoring, identity restoration, and up to $1 million in identity theft insurance.
What was said
Highlands Oncology has advised affected individuals to enroll in the identity protection service and remain alert for suspicious activity. They’ve also encouraged placing fraud alerts or credit freezes and reporting any fraud to law enforcement. Additional support resources from the Federal Trade Commission were provided for those seeking further protection guidance.
According to Highlands Oncology, “an unauthorized third party accessed Highlands’ computer network at times between January 21, 2025, and June 2, 2025, and encrypted some of its files.”
FAQs
Who is MEDUSA, and what do they typically target?
MEDUSA is a known ransomware group that targets organizations likely to pay ransoms, including healthcare, education, and public institutions. They often use data extortion tactics by threatening to leak sensitive files.
What is Experian IdentityWorks Credit 3B, and how does it help?
It is a credit monitoring and identity theft protection service that includes triple-bureau credit reports, alerts, identity restoration support, and insurance coverage for financial losses due to identity theft.
What should individuals do if they suspect their data was misused?
They should file a police report, notify the Federal Trade Commission, consider a credit freeze, and monitor all financial accounts for unauthorized activity.
How can someone place a fraud alert or credit freeze?
You can request a fraud alert or freeze through any of the three major credit bureaus: Experian, TransUnion, or Equifax. These services are typically free and add an extra layer of protection.
Farah Amod
