Cyber Incident Victim: Catalyst RCM
Date:
Nov 2025
Location:
United States of America
Summary
Catalyst RCM discovered suspicious activity inits secure file management system after attackers used compromised credentials to gain access. The intrusion exposed files containing names, dates of birth, payment card details, medical information and health insurance data that the company held while providing medical coding and billing services for Vikor Scientific, KorPath and Korgene. According to a notice posted on its website, the breach affected nearly 140,000 individuals, though the exact total remains uncertain. The Everest ransomware group later listed the affected laboratories on its leak site and published data allegedly taken from the compromised files.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid‑November 2025 Catalyst RCM detected suspicious activity within its secure file management system and launched an investigation. The investigation determined that compromised credentials had been used to gain access to the system. The files that were accessed contained names, dates of birth, payment card details, medical information and health insurance information. Catalyst RCM stated that the compromised data were in its possession because it provides medical coding and billing services to Vikor Scientific, KorPath and Korgene. In November 2025 the Everest ransomware group listed Vikor Scientific, KorPath and Korgene on its leak website and later published data allegedly stolen from those companies.
The breach was recorded on the U.S. Department of Health and Human Services healthcare data breach tracker, which shows Vikor Scientific (recently rebranded as Vanta Diagnostics) as the victim of a compromise affecting 139,964 individuals. Catalyst RCM, KorPath and Korgene have not yet disclosed the number of impacted individuals to HHS, leaving it unclear whether the 139,964 figure represents the total number of affected people or if the actual count is higher. The compromised information includes personal identifiers, financial data and health‑related details as described in Catalyst’s breach notice. The breach notice was posted on Catalyst RCM’s website earlier in February 2026. Affected individuals were notified by Catalyst RCM about the specific categories of data that were exposed.
Catalyst RCM’s response included the detection of suspicious activity, the forensic investigation that identified compromised credentials, and the issuance of a public breach notice. The company also sent direct notifications to the individuals whose data were stored in the files accessed by the attackers. Catalyst RCM, KorPath and Korgene have not yet provided HHS with a formal count of the victims. The incident remains under review as the exact total number of affected individuals has not been definitively established.