Active breach tracker TX Disclosed January 22, 2025

Apex Custom Software Data Breach 2025: 1,500 Affected · Ransomware/Supply-Chain Attack on Texas Healthcare Software Vendor. What To Do.

Apex Custom Software, a Texas-based healthcare software developer, was breached by the threat actor 0mid16B on January 16, 2025. The business associate filed a HIPAA breach notification with HHS OCR on January 22, 2025, reporting 1,500 affected individuals. The attackers claimed to have compromised Controlled Substance Monitoring Program databases serving multiple pharmacy and healthcare clients, including allegedly Cardinal Health.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 16, 2025

Threat actor 0mid16B compromises Apex Custom Software environment (supply-chain attack on healthcare software vendor)

Jan 16, 2025

Breach detected

Jan 18, 2025

Latest timestamp on data the attacker later leaked, per DataBreaches.net analysis

Jan 20, 2025

0mid16B publicly tweets that a U.S. healthcare software provider has been hacked and threatens to publish data within 48 hours

Jan 22, 2025

Apex Custom Software files HIPAA breach notification with HHS OCR as a Business Associate, reporting 1,500 individuals affected at Network Server

Jan 29, 2025

Attacker claims to still have network access and that data has been exfiltrated; ransom demand issued

Jan 30, 2025

DataBreaches.net publishes exclusive reporting; sample of leaked Apex Controlled Substance software and apparent Cardinal Health employee credentials appears on attacker channels

Data exposed

03

Contact & insurance

Phishing + targeted scams

Protected health information (specific data elements not yet publicly itemized in the OCR filing) Allegedly: Controlled Substance Monitoring Program (CSMP) database contents Allegedly: employee credentials including plaintext passwords belonging to a downstream client (Cardinal Health, per threat-actor claims)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Apex Custom Software, a Texas-based software developer that builds applications for the healthcare sector — including Controlled Substance Monitoring Program (CSMP) tooling used by pharmacies and healthcare clients — was breached on January 16, 2025 by a threat actor that calls itself 0mid16B. As a HIPAA Business Associate, Apex filed a breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on January 22, 2025, reporting 1,500 affected individuals in a Network Server incident. Because Apex’s software sits inside multiple covered entities, the 1,500-person figure is widely reported as an interim count and may not capture the full downstream exposure across Apex’s client base.

Timeline

  • January 16, 2025 — 0mid16B compromises Apex Custom Software’s environment in what reporting describes as a supply-chain attack on the healthcare software vendor.
  • January 18, 2025 — Latest timestamp visible on data the attacker later publishes, per DataBreaches.net.
  • January 20, 2025 — 0mid16B tweets publicly that a U.S. healthcare software provider has been hacked, claims server data has been deleted, and gives a 48-hour deadline before publishing data.
  • January 22, 2025 — Apex Custom Software files its HIPAA breach notification with HHS OCR as a Business Associate, listing 1,500 affected individuals and Network Server as the location of the breached information.
  • January 29, 2025 — Attacker claims to still have access to Apex’s network and that data has been exfiltrated; a ransom demand is issued.
  • January 30, 2025 — DataBreaches.net publishes exclusive reporting on the incident, including a sample of leaked Apex Controlled Substance software and what appears to be Cardinal Health employee credentials, some in plaintext, that were stored or accessible through Apex.

What was exposed

The HHS OCR portal entry lists Network Server as the location of breached protected health information and identifies the event as a Hacking/IT Incident affecting 1,500 individuals. Specific data elements have not yet been itemized publicly in the OCR record.

According to reporting from DataBreaches.net and HIPAA Journal, the attacker’s own claims and leak samples suggest the breach reached beyond Apex’s own corporate data:

  • Source code and database contents tied to Apex’s Controlled Substance Monitoring Program software.
  • User credentials and access details linked to Apex’s downstream healthcare clients.
  • Apparent employee information — including some passwords in plaintext — that the attacker attributes to Cardinal Health, one of Apex’s pharmacy-distribution-sector clients.

These attacker-side claims have not been independently confirmed by Apex Custom Software or by Cardinal Health on the record, and the OCR filing is the only government-confirmed data point as of this update.

Credit monitoring / what Apex is offering

Apex Custom Software has not posted a substitute breach notice or detailed remediation offering on a public-facing notice page as of this update. Because Apex filed as a Business Associate, individual notification letters to affected patients are expected to be issued by the covered entities Apex serves, not by Apex directly. Any complimentary credit-monitoring or identity-restoration services should appear in those covered-entity letters when they arrive.

Class-action status

No class-action lawsuit has been publicly filed against Apex Custom Software as of May 16, 2026. There is a separate and unrelated 2024 incident involving Apex Global Solutions (a different Texas-headquartered healthcare IT vendor, ~390,000 patients) which reached a final-approval settlement on May 1, 2026 — do not conflate the two. The Apex Custom Software incident remains in OCR’s “under investigation” tranche.

What to do if you may be affected

The 1,500-person figure in the OCR record is an early count tied to one or a small number of downstream client relationships. The realistic exposure is broader if you are a pharmacy customer, clinical employee, or patient whose data flowed through Apex’s CSMP tooling at any of its clients in late 2024 or early 2025.

  • Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft.
  • Watch your prescription history. If your covered entity or pharmacy used Apex’s controlled-substance monitoring tooling, identity-theft risk is layered with the secondary risk of fraudulent prescription activity in your name. Pull your prescription history through your insurer or pharmacy portal and review for anything you do not recognize.
  • Watch for a notification letter from your healthcare provider or pharmacy, not from Apex directly. As a Business Associate, Apex’s downstream covered-entity clients are the ones obligated to send individual HIPAA breach notifications. Read any letter carefully — it will list the specific data elements exposed and any complimentary credit-monitoring being offered.
  • If you are a Cardinal Health employee whose credentials appeared in the leaked sample, rotate those passwords and any reused passwords on personal accounts immediately, and enable multi-factor authentication everywhere it is supported.
  • Bookmark this page. We update it as Apex Custom Software, its covered-entity clients, the Texas Attorney General’s office, or HHS OCR publish further information.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.