626,000 Patient Records Stolen in ApolloMD Breach as Healthcare's Ransomware Nightmare Continues

The healthcare industry keeps receiving hit after hit, with most refusing to apply so very obviously needed security improvements. And yet, it’s the patients, whose data keep getting exposed, who truly can’t catch a break.

ApolloMD Business Services, a Georgia-based physician management company, finally disclosed that 626,540 patients across 18 states had their medical records stolen in a ransomware attack. The breach happened back in May 2025, but the full scope only hit the Department of Health and Human Services breach portal this week.

That's nine months of your Social Security number, medical history, and treatment details floating around somewhere while most, if not all, people affected had no idea. ApolloMD partners with over 125 medical practices nationwide, handling everything from emergency medicine to hospital care. Patients who've never even heard of ApolloMD are finding out their data's been compromised.

Over Half a Million Patients Exposed

The timeline is what you’d call brutal. On May 22, 2025, ApolloMD's IT team noticed something off. By May 23, hackers had already finished. Two days was all it took to grab files containing names, birthdates, addresses, diagnoses, treatment information, and health insurance details for over 626,000 people. Oh, and of course, the Social Security numbers too.

The Qilin ransomware group claimed responsibility in June, bragging they'd stolen 238 GB of data. They posted ApolloMD on their dark web leak site and threatened to dump everything. Whether ApolloMD paid up, we don't know. What we do know is that if you were in their system, your medical data is likely now part of that 238 GB haul.

ApolloMD started mailing notification letters in September 2025, offering free credit monitoring for anyone whose Social Security number was exposed. If only credit monitoring could unsteal your medical history.

Healthcare's Ransomware Problem Won't Quit

This isn't even close to being an isolated incident. Qilin's been on an absolute tear through the healthcare sector lately.

The ransomware group hit over 700 targets in 2025 alone, with healthcare being one of their favorite hunting grounds. They attacked Covenant Health earlier this year, compromising 478,000 patient records. Before that, they caused chaos in the UK's National Health Service through an attack on pathology services provider Synnovis.

Why healthcare? Well, medical facilities can't afford downtime when lives are on the line. Patient data is incredibly valuable on the black market. And most healthcare organizations are running outdated systems with security that's barely holding together, ignoring the fact that the data they hold is of the utmost importance.

ApolloMD operates across emergency medicine, hospital care, anesthesiology, and radiology in 18 states. That's a massive attack surface, and, needless to say, their security clearly wasn't up to the task.

Nine Months Later, Victims Finally Get Told

Let's talk about this nine-month gap of an elephant in the room for a moment. ApolloMD discovered the breach in May 2025. They notified physician practices between July and September. They started mailing letters to patients in September. But it wasn't until February 2, 2026, that the Department of Health and Human Services got officially notified of the full scale.

Nine months for 626,540 people to find out their most sensitive information got stolen. During that time, anyone affected could've had fraudulent medical claims filed, fake prescriptions written, or tax returns stolen using their Social Security numbers. All without knowing they needed to be on alert. And it’s not even like you can change any of this data.

Sure, ApolloMD is offering credit monitoring, but that only catches financial fraud after it happens. It does nothing for medical identity theft, which can mess up your actual medical records and affect your care.

What’s most infuriating about this is that it’s not the first and likely not the last time when companies simply don’t feel the urgency to notify the victims as soon as possible. They act as if this is no big deal and get away with minimal consequences, while those affected have to deal with this for the rest of their lives.

Healthcare organizations are bleeding data while refusing to take any real action to prevent this, and patients pay the price. Unless something fundamentally changes about healthcare cybersecurity, these breaches will keep happening and will likely only get bigger.