A ransomware group infiltrated the Arkansas-based healthcare provider's systems for over four months before detection.
Highlands Oncology Group PA, based in Northwest Arkansas, discovered on June 2, 2025, that its computer systems had been breached. The investigation determined that unauthorized access occurred between January 21 and June 2, 2025. During this time, the ransomware group MEDUSA accessed the network, encrypted files, and likely exfiltrated sensitive data belonging to more than 113,000 individuals across the U.S., including six in Maine.
The breach exposed a wide range of personally identifiable information (PII) and protected health information (PHI), including names, Social Security numbers, driver’s license and passport numbers, financial account details, digital signatures, and medical and insurance records.
On June 19, 2025, the MEDUSA ransomware group claimed responsibility for the attack. They posted screenshots of stolen files and threatened to leak the full dataset on the dark web. The breach was officially reported on August 1, 2025, the same day affected individuals began receiving written notification from Highlands Oncology Group.
The company published a disclosure on its website and launched a response plan that includes offering impacted individuals a one-year subscription to Experian IdentityWorks Credit 3B. The service includes credit monitoring, identity restoration, and up to $1 million in identity theft insurance.
Highlands Oncology has advised affected individuals to enroll in the identity protection service and remain alert for suspicious activity. They’ve also encouraged placing fraud alerts or credit freezes and reporting any fraud to law enforcement. Additional support resources from the Federal Trade Commission were provided for those seeking further protection guidance.
According to Highlands Oncology, “an unauthorized third party accessed Highlands’ computer network at times between January 21, 2025, and June 2, 2025, and encrypted some of its files.”
MEDUSA is a known ransomware group that targets organizations likely to pay ransoms, including healthcare, education, and public institutions. They often use data extortion tactics by threatening to leak sensitive files.
It is a credit monitoring and identity theft protection service that includes triple-bureau credit reports, alerts, identity restoration support, and insurance coverage for financial losses due to identity theft.
They should file a police report, notify the Federal Trade Commission, consider a credit freeze, and monitor all financial accounts for unauthorized activity.
You can request a fraud alert or freeze through any of the three major credit bureaus: Experian, TransUnion, or Equifax. These services are typically free and add an extra layer of protection.