Cyber Incident Victim: Korgene

In November 2025 theEverest ransomware group posted the names of Vikor Scientific, its affiliate KorPath, and Korgene on its leak website, signaling that data had been exfiltrated from those organizations. The posting came after the group had allegedly stolen information and later published it on the site. Although the ransomware group listed the three companies, investigators determined that the attackers did not compromise Vikor Scientific, KorPath, or Korgene directly. Instead, the intrusion originated from Catalyst RCM, a third‑party revenue cycle management provider that handles medical coding and billing for the diagnostic firms.

Catalyst RCM disclosed on its website in January 2026 that it had detected suspicious activity within its secure file management system in mid‑November 2025. An investigation revealed that compromised credentials had been used to gain access to the system, allowing the attackers to exfiltrate files containing names, dates of birth, payment card details, medical information, and health insurance information. Catalyst notified affected individuals that the compromised data were in its possession because it provides medical coding and billing services to Vikor Scientific, KorPath, and Korgene. The U.S. Department of Health and Human Services breach tracker later recorded the incident under Vikor Scientific, indicating that 139,964 individuals were impacted.

KorPath and Korgene have not yet submitted their own breach reports to HHS, so the exact number of individuals affected across all three entities remains unspecified. Catalyst’s notice did not provide a separate count for KorPath or Korgene, leaving open whether the 139,964 figure represents the total affected population or only a subset. Consequently, the full scope of the breach, including any additional records that may have been taken from the affiliated laboratories, is still uncertain.