VITAS Hospice Services, LLC, the largest for-profit hospice chain in the United States, disclosed that it suffered a month-long network intrusion that exposed highly sensitive patient information across multiple states.
What happened
The breach was first identified on October 24, 2025, when VITAS detected unauthorized activity linked to an account belonging to one of its third-party vendors. A forensic investigation later confirmed that the attacker had uninterrupted access to certain VITAS systems between September 21 and October 27, 2025, during which the intruder viewed and downloaded personal and medical data belonging to current and former hospice patients.
Notifications were filed with the California Attorney General and the Texas Attorney General, with Texas confirming that 5,633 residents were affected, although the full scope remains unknown because many states do not publish breach totals. VITAS brought in a third-party cybersecurity firm, strengthened vendor oversight, and offered 24 months of free credit monitoring while emphasizing that no misuse had yet been detected.
What was said
According to Vitas's own notice of security incident, “VITAS discovered that an unauthorized party had compromised the account of one of our vendors and used that account to gain access to some of our systems. Upon discovering this incident, VITAS promptly took action to secure our systems, launched an internal investigation, and engaged outside experts to assist with our investigation and response.”
The bigger picture
The year has been dominated by hacking-related incidents, with 81% of all 107 reported breaches categorized as hacking or IT intrusions, the same attack vector used in the VITAS case, where a compromised vendor account provided more than a month of unauthorized access into hospice systems. Across the sector, these attacks have already exposed the data of 1.65 million individuals, and VITAS now joins a growing list of providers struggling with increasingly aggressive threat actors and expanding attack surfaces.
The overall security posture of organizations reporting breaches also continues to decline: 41% were assessed as high risk in 2025, up from 31% the year before, signaling a worsening vulnerability landscape, especially for providers with complex vendor ecosystems like VITAS. The incident also mirrors a wider problem with cloud-based healthcare environments, as Microsoft 365 accounted for 52% of all healthcare breaches in 2025, although the VITAS intrusion involved a vendor system rather than M365 directly.
Positioned alongside major breaches such as the Episource/Optum incident affecting 5.4 million people and the Vision Upright MRI server access incident impacting 21,000 individuals.
FAQs
How do attackers usually get in?
Most network intrusions start with stolen credentials, phishing attacks, unpatched systems, or weaknesses in third-party vendor accounts.
Why are healthcare networks frequent targets?
Healthcare networks are targeted because medical and identity data have high resale value and providers often rely on complex, interconnected systems.
How long do intrusions typically go undetected?
Intrusions often go undetected for weeks or months due to limited monitoring and the attacker’s efforts to blend in with normal network activity.
Kirsten Peremore
.jpg)
