A Tennessee-based medical collections vendor has reported a January cyberattack that exposed patient data from multiple healthcare providers.
What happened
Wakefield & Associates, a revenue cycle and collections vendor based in Knoxville, Tennessee, disclosed a data breach that occurred in January 2025. Suspicious activity was first detected on or around January 17, and a forensic investigation later confirmed unauthorized access to patient files, some of which were exfiltrated. The initial intrusion is believed to have taken place on January 14.
After months of internal review, Wakefield determined in late September that the compromised data included protected health information (PHI) from its healthcare clients. While most affected individuals had only names and account details exposed, others may have had Social Security numbers, financial data, driver's license numbers, and health information compromised.
Going deeper
Wakefield & Associates began notifying impacted individuals on behalf of its clients and is offering complimentary credit monitoring and identity theft protection services. Although the company did not confirm the nature of the attack, signs point to ransomware. The Akira threat group claimed responsibility in February via its dark web leak site, stating it had stolen 13 GB of data, including patient and employee records.
Northern Montana Health Care is the only affected client named so far. Notifications sent to state attorneys general revealed 26,624 residents were impacted in Montana and 41 in Maine. Wakefield has reported the incident to law enforcement and regulators, though federal breach tracking is facing delays due to the recent government shutdown.
What was said
Wakefield stated it has reviewed and strengthened its security protocols in response to the incident. The company has not released further details about the attack or provided a complete list of affected healthcare clients. The Office for Civil Rights (OCR) breach portal remains outdated, so the full scope of the breach remains unclear.
The Akira threat group has been linked to a string of ransomware incidents in the healthcare sector, often exfiltrating large volumes of sensitive data before demanding ransom payments.
The big picture
According to research published on arXiv, healthcare data breaches continue to rise each year, driven by the high resale value of PHI across dark web markets. The study notes that many incidents stem from phishing, denial-of-service attacks, and mistakes made by employees, with human error remaining a consistent vulnerability even in organizations that have invested heavily in technical safeguards.
The authors point out that incidents can be mitigated through ongoing employee education and a structured incident response plan. For vendors like Wakefield & Associates, who handle large volumes of sensitive patient information on behalf of multiple healthcare providers, the findings reinforce how necessary sustained training, awareness, and preparedness are for reducing the escalating risk of PHI exposure.
FAQs
What is the Akira ransomware group, and what tactics do they use?
Akira is a ransomware group known for targeting healthcare and corporate networks. They often exfiltrate data before encryption, using the stolen information as leverage for extortion via dark web leak sites.
Why does it take so long to identify and report the full extent of a breach?
Forensic investigations and manual reviews of compromised data can take months, especially when multiple clients are involved and data sets are large or unstructured.
What are revenue cycle management vendors, and why do they have PHI?
Vendors like Wakefield & Associates manage billing, collections, and insurance claims for healthcare providers. They require access to patient data to pursue outstanding balances and resolve account issues.
How does a government shutdown affect breach reporting?
During a shutdown, federal portals like the HHS OCR breach reporting system may not be updated, leading to delays in public awareness and official breach statistics.
Can patients directly verify if their data was compromised?
Patients should receive direct notification letters if affected. If uncertain, they can contact their healthcare provider or the vendor for more information and inquire about the offered identity protection services.
Farah Amod
.jpg)