Apex Custom Software Data Breach 2025: 1,500 Affected · Ransomware/Supply-Chain Attack on Texas Healthcare Software Vendor. What To Do.
Apex Custom Software, a Texas-based healthcare software developer, was breached by the threat actor 0mid16B on January 16, 2025. The business associate filed a HIPAA breach notification with HHS OCR on January 22, 2025, reporting 1,500 affected individuals. The attackers claimed to have compromised Controlled Substance Monitoring Program databases serving multiple pharmacy and healthcare clients, including allegedly Cardinal Health.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 16, 2025
Threat actor 0mid16B compromises Apex Custom Software environment (supply-chain attack on healthcare software vendor)
Jan 16, 2025
Breach detected
Jan 18, 2025
Latest timestamp on data the attacker later leaked, per DataBreaches.net analysis
Jan 20, 2025
0mid16B publicly tweets that a U.S. healthcare software provider has been hacked and threatens to publish data within 48 hours
Jan 22, 2025
Apex Custom Software files HIPAA breach notification with HHS OCR as a Business Associate, reporting 1,500 individuals affected at Network Server
Jan 29, 2025
Attacker claims to still have network access and that data has been exfiltrated; ransom demand issued
Jan 30, 2025
DataBreaches.net publishes exclusive reporting; sample of leaked Apex Controlled Substance software and apparent Cardinal Health employee credentials appears on attacker channels
Jan 16, 2025
Threat actor 0mid16B compromises Apex Custom Software environment (supply-chain attack on healthcare software vendor)
Jan 16, 2025
Breach detected
Jan 18, 2025
Latest timestamp on data the attacker later leaked, per DataBreaches.net analysis
Jan 20, 2025
0mid16B publicly tweets that a U.S. healthcare software provider has been hacked and threatens to publish data within 48 hours
Jan 22, 2025
Apex Custom Software files HIPAA breach notification with HHS OCR as a Business Associate, reporting 1,500 individuals affected at Network Server
Jan 29, 2025
Attacker claims to still have network access and that data has been exfiltrated; ransom demand issued
Jan 30, 2025
DataBreaches.net publishes exclusive reporting; sample of leaked Apex Controlled Substance software and apparent Cardinal Health employee credentials appears on attacker channels
Data exposed
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Apex Custom Software, a Texas-based software developer that builds applications for the healthcare sector — including Controlled Substance Monitoring Program (CSMP) tooling used by pharmacies and healthcare clients — was breached on January 16, 2025 by a threat actor that calls itself 0mid16B. As a HIPAA Business Associate, Apex filed a breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on January 22, 2025, reporting 1,500 affected individuals in a Network Server incident. Because Apex’s software sits inside multiple covered entities, the 1,500-person figure is widely reported as an interim count and may not capture the full downstream exposure across Apex’s client base.
Timeline
- January 16, 2025 — 0mid16B compromises Apex Custom Software’s environment in what reporting describes as a supply-chain attack on the healthcare software vendor.
- January 18, 2025 — Latest timestamp visible on data the attacker later publishes, per DataBreaches.net.
- January 20, 2025 — 0mid16B tweets publicly that a U.S. healthcare software provider has been hacked, claims server data has been deleted, and gives a 48-hour deadline before publishing data.
- January 22, 2025 — Apex Custom Software files its HIPAA breach notification with HHS OCR as a Business Associate, listing 1,500 affected individuals and Network Server as the location of the breached information.
- January 29, 2025 — Attacker claims to still have access to Apex’s network and that data has been exfiltrated; a ransom demand is issued.
- January 30, 2025 — DataBreaches.net publishes exclusive reporting on the incident, including a sample of leaked Apex Controlled Substance software and what appears to be Cardinal Health employee credentials, some in plaintext, that were stored or accessible through Apex.
What was exposed
The HHS OCR portal entry lists Network Server as the location of breached protected health information and identifies the event as a Hacking/IT Incident affecting 1,500 individuals. Specific data elements have not yet been itemized publicly in the OCR record.
According to reporting from DataBreaches.net and HIPAA Journal, the attacker’s own claims and leak samples suggest the breach reached beyond Apex’s own corporate data:
- Source code and database contents tied to Apex’s Controlled Substance Monitoring Program software.
- User credentials and access details linked to Apex’s downstream healthcare clients.
- Apparent employee information — including some passwords in plaintext — that the attacker attributes to Cardinal Health, one of Apex’s pharmacy-distribution-sector clients.
These attacker-side claims have not been independently confirmed by Apex Custom Software or by Cardinal Health on the record, and the OCR filing is the only government-confirmed data point as of this update.
Credit monitoring / what Apex is offering
Apex Custom Software has not posted a substitute breach notice or detailed remediation offering on a public-facing notice page as of this update. Because Apex filed as a Business Associate, individual notification letters to affected patients are expected to be issued by the covered entities Apex serves, not by Apex directly. Any complimentary credit-monitoring or identity-restoration services should appear in those covered-entity letters when they arrive.
Class-action status
No class-action lawsuit has been publicly filed against Apex Custom Software as of May 16, 2026. There is a separate and unrelated 2024 incident involving Apex Global Solutions (a different Texas-headquartered healthcare IT vendor, ~390,000 patients) which reached a final-approval settlement on May 1, 2026 — do not conflate the two. The Apex Custom Software incident remains in OCR’s “under investigation” tranche.
What to do if you may be affected
The 1,500-person figure in the OCR record is an early count tied to one or a small number of downstream client relationships. The realistic exposure is broader if you are a pharmacy customer, clinical employee, or patient whose data flowed through Apex’s CSMP tooling at any of its clients in late 2024 or early 2025.
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft.
- Watch your prescription history. If your covered entity or pharmacy used Apex’s controlled-substance monitoring tooling, identity-theft risk is layered with the secondary risk of fraudulent prescription activity in your name. Pull your prescription history through your insurer or pharmacy portal and review for anything you do not recognize.
- Watch for a notification letter from your healthcare provider or pharmacy, not from Apex directly. As a Business Associate, Apex’s downstream covered-entity clients are the ones obligated to send individual HIPAA breach notifications. Read any letter carefully — it will list the specific data elements exposed and any complimentary credit-monitoring being offered.
- If you are a Cardinal Health employee whose credentials appeared in the leaked sample, rotate those passwords and any reused passwords on personal accounts immediately, and enable multi-factor authentication everywhere it is supported.
- Bookmark this page. We update it as Apex Custom Software, its covered-entity clients, the Texas Attorney General’s office, or HHS OCR publish further information.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record of this breach (filed January 22, 2025; 1,500 individuals; Hacking/IT Incident; Network Server).
- DataBreaches.net — Exclusive: Apex Custom Software hacked, threat actors threaten to leak the software — primary investigative reporting on the 0mid16B intrusion, timeline, and leaked-sample analysis.
- HIPAA Journal — Hackers Breach Systems of HIPAA-Regulated Entities in Missouri, Nevada, Texas & Wisconsin — trade-press summary placing Apex within the broader January 2025 healthcare-vendor breach wave.
- Malware.news — Apex Custom Software hacked, threat actors threaten to leak the software — corroborating coverage of the 0mid16B announcement and 48-hour leak threat.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- DataBreaches.net — Exclusive: Apex Custom Software hacked, threat actors threaten to leak the software
- HIPAA Journal — Hackers Breach Systems of HIPAA-Regulated Entities in Missouri, Nevada, Texas & Wisconsin
- Malware.news — Apex Custom Software hacked, threat actors threaten to leak the software
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.