Next Step Healthcare, LLC, which operates nursing and rehabilitation facilities in Massachusetts, has notified over 12,000 individuals of a data breach that may have exposed their personal and protected health information (PHI). The incident involved unauthorized network access and potential data exfiltration, with the Qilin ransomware group reportedly claiming responsibility.
What happened
According to Next Step Healthcare's notice, the company learned of unusual activity in its network on June 5, 2024. In response, immediate measures were taken to terminate the activity and secure its systems. An investigation, conducted with the assistance of external cybersecurity experts, determined that data may have been accessed or downloaded without authorization from certain Next Step systems around that time. A thorough review of these systems to identify the scope of the incident and the affected data concluded on May 22, 2025.
What's new
Next Step Healthcare has reported to the HHS Office for Civil Rights that the PHI of 12,090 current and former residents was involved. The compromised information varies by individual but may include:
- Full names
- Dates of birth
- Social Security numbers
- Driver’s license numbers
- Financial account numbers (including credit/debit card numbers)
- Diagnosis or treatment information
- Other health-related information
Next Step is offering identity theft protection services through IDX, including credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and managed identity theft recovery services. A dedicated toll-free call center (1-877-674-1598) has been established. Several law firms, including those working with ClassAction.org and Strauss Borrelli PLLC, are investigating the breach.
Why it matters
This breach is significant due to the extensive range of sensitive data exposed, including Social Security numbers, financial account details, and detailed medical information. Such a compromise places affected individuals at substantial risk of identity theft, financial fraud, and medical identity theft.
The intrigue
The most notable aspect is the delay between Next Step Healthcare discovering the "unusual activity" in June 2024 and notifying affected individuals in late May 2025. Adding to this, the ransomware group Qilin reportedly claimed responsibility for an attack on Next Step Healthcare on July 17, 2024, just weeks after the initial incident. Next Step's public notices do not directly confirm the ransomware attack, but the timeline and Qilin's known targeting of healthcare organizations are relevant.
What they're saying
In its public statement, Next Step Healthcare said it "takes the privacy and security of all information within its possession very seriously" and "deeply regrets any inconvenience or concern this incident may cause." The company stated it took immediate measures to secure its systems and engaged cybersecurity experts.
Law firms are investigating whether Next Step Healthcare had adequate security measures and if the delay in notification increased harm to victims.
Looking ahead
Affected individuals are strongly urged to enroll in the IDX identity protection services and remain vigilant by monitoring their financial accounts, credit reports, and Explanation of Benefits (EOBs).
The involvement of a known ransomware group and the lengthy notification delay are likely to attract regulatory scrutiny from HHS OCR and state Attorneys General. This incident shows the persistent threat of ransomware to the healthcare sector and the importance of rapid investigation and timely, transparent communication following a breach.
FAQs
What is a ransomware attack?
Ransomware is a type of malicious software that encrypts a victim's files or systems, making them inaccessible. Attackers demand a ransom, often in cryptocurrency, for the decryption key. Many groups also steal data before encryption (double extortion), threatening to publish it if the ransom isn't paid.
Why was there such a long delay between the incident and patient notification?
Next Step Healthcare detected unusual activity in June 2024. Their internal review to identify the scope of the incident and affected data concluded in May 2025, after which notifications were sent. Such lengthy review periods, while sometimes necessary for complex investigations, can increase risks for affected individuals if critical information is not shared sooner.
What should affected Next Step Healthcare patients do?
Patients should carefully review the notification letter they received, enroll in the complimentary IDX identity protection services, monitor their credit reports and financial statements for suspicious activity, and be cautious of unsolicited communications. They can contact the dedicated call center for questions.
