Active breach tracker Atlanta, GA Disclosed February 2, 2026

ApolloMD Data Breach 2026 (Qilin Ransomware): 626,540 Emergency-Medicine Patients Exposed. Settlement Already Filed. What Was Stolen and What To Do

ApolloMD Business Services, the Atlanta-based emergency-medicine and hospitalist staffing firm, disclosed in September 2025 that the Qilin ransomware group stole 238 GB of patient data from its network in May 2025. 626,540 individuals affected across 11 physician-practice clients. A $4.02M settlement is already in preliminary approval. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 22, 2025

Unauthorized access detected; intrusion same day

May 22, 2025

Attacker gained access

Jun 12, 2025

Qilin claims attack on leak site (238 GB exfiltrated)

Sep 17, 2025

Individual notification letters mailed

Jan 30, 2026

Mediation; $4.02M settlement agreed in principle

Feb 2, 2026

Filed with HHS OCR (626,540 individuals)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number (subset)

02

Health records

Don't expire and can't be reissued

Diagnoses Treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Home address Provider name Dates of service Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Kopelowitz Ostrow (Interim Co-Lead) Milberg PLLC (Interim Co-Lead) Strauss Borrelli Federman & Sherwood Edelson Lechtzin The Lyon Firm Pittman, Dutton, Hellums, Bradley & Mann Gibbs Law Group
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

ApolloMD Business Services, LLC is an Atlanta-based physician-staffing firm. It places emergency-medicine and hospitalist physicians and nurse practitioners at hospitals across 18 states, claiming over 100 hospital clients, 3,400 clinicians, and 4.2 million patient encounters per year. ApolloMD is privately held and describes itself as physician-owned.

On May 22, 2025, ApolloMD detected unauthorized activity inside its network. The intrusion was contained within approximately 48 hours (May 22 to May 23). On June 12, 2025, the Qilin ransomware group claimed responsibility on its dark web leak site, stating it had exfiltrated approximately 238 GB of data. ApolloMD did not pay the ransom, and Qilin subsequently published the stolen data.

ApolloMD’s affiliated physician practices were notified between July and September 2025. Individual notification letters were mailed beginning September 17, 2025, and a public notice was posted to ApolloMD’s website on September 15, 2025. The official HHS OCR submission did not happen until February 2, 2026, confirming 626,540 affected individuals. The roughly nine-month gap between detection and OCR filing exceeds HIPAA’s 60-day notification rule and has been flagged in industry reporting.

Notably, ApolloMD’s notification letter does not mention ransomware, Qilin, or the leak-site publication of stolen data. Those facts come from independent security reporting and the Qilin leak-site posting itself.

What was stolen

The compromised data included:

  • Full name
  • Date of birth
  • Home address
  • Social Security number (for a subset of affected individuals; not all)
  • Diagnoses
  • Provider name (the specific ApolloMD-affiliated physician who saw you)
  • Dates of service
  • Treatment information
  • Health insurance information

The amended complaint and settlement filings indicate that financial account information and payment card data were not exposed.

Who is affected (11 ApolloMD-affiliated practices)

ApolloMD names 11 affiliated physician-practice LLCs in the notification letters. These are the entities that staffed the emergency departments and hospitalist services you may have seen. The hospital you visited is generally NOT named in the notice (the breach was at the staffing-company level, not at the underlying hospital):

  • Passaic Hospitalist Services LLC
  • Pensacola Hospitalist Physicians LLC
  • Broad River Physicians Group LLC
  • Olive Branch Emergency Physicians LLC
  • Aurora Emergency Physicians LLC
  • Passaic River Physicians LLC
  • The Bortolazzo Group LLC
  • Methodist University Emergency Physicians PLLC
  • Trinity Emergency Physicians LLC
  • Lorain Emergency Physicians LLC
  • Pennsylvania Hospitalist Group LLC

If you received emergency department care or hospitalist (inpatient) care at any hospital served by any of these practices between roughly 2020 and 2025, you may be affected. The practice names will appear on your ER or hospital bill under “physician services” line items, separate from the hospital’s facility-services bill.

What ApolloMD is offering, plus the proposed settlement

ApolloMD offered complimentary credit monitoring and identity-theft protection only to individuals whose Social Security numbers were exposed. The vendor and duration were not specified in the public notice. ApolloMD incident response line: 833-397-6797 (Monday to Friday, 8 a.m. to 8 p.m. Eastern).

The proposed class-action settlement adds more for everyone. On January 30, 2026, the parties reached an agreement in principle on a $4,020,000 non-reversionary settlement fund:

  • Tier A: Reimbursement up to $5,000 for documented out-of-pocket losses related to the breach
  • Tier B: Alternative ~$75 cash payment for class members who do not document specific losses
  • All class members: 1 year of CyEx medical-data monitoring (catches medical identity theft signals beyond what credit monitoring covers)

The settlement is in preliminary-approval stage. The claim portal is not yet live as of mid-May 2026. Final approval hearing date has not been set publicly.

The consolidated docket is In re ApolloMD Data Breach Litigation, 1:25-cv-05439 (N.D. Ga., Atlanta Division), with Jeff Ostrow of Kopelowitz Ostrow and Casondra Turner of Milberg as Interim Co-Lead Class Counsel.

What to do if you received a notification letter

This week:

  1. If your letter mentions SSN exposure: enroll in the offered credit monitoring. Place free credit freezes at Equifax, Experian, and TransUnion. File IRS Form 14039.
  2. Watch for the claim portal. When the settlement receives preliminary approval (expected within weeks of this writing), a claim form will go live. You will need to retain your notification letter and any receipts of expenses tied to the breach.
  3. Watch for the CyEx medical-data monitoring enrollment. All class members are eligible for this regardless of SSN status. CyEx looks for medical identity theft signals (someone using your insurance for their own care), which credit monitoring does not catch.

This month:

  1. Decide whether to opt out. If you have specific high-dollar losses you can document, you may want to sue individually rather than accept the class settlement. The opt-out window opens at preliminary approval. We are not a law firm and cannot give you legal advice; consult your own attorney.
  2. Stop the ongoing flow of your medical data. HealthConsent files HIPAA restriction requests, FTC HBNR deletion requests, and state-law deletion requests across data brokers, ad-tech buyers, and consumer-health platforms so the diagnosis and treatment data exposed in this breach is not continuously re-sold downstream. Because Qilin published the stolen data publicly, your record is in the wild and the ongoing-flow problem is more serious than it would be for an unpublished breach.

Frequently asked questions

Why did this take 9 months to reach HHS OCR after detection?

Good question, and one that the plaintiffs’ complaints emphasize. HIPAA’s Breach Notification Rule requires covered entities and business associates to notify HHS within 60 days of discovery for breaches affecting 500 or more individuals. ApolloMD detected the intrusion on May 22, 2025, but the OCR submission was not made until February 2, 2026. ApolloMD’s position is that the affected-individual count and per-record detail required extensive forensic review before notification was possible. The plaintiffs argue the delay itself caused harm.

Did Qilin really publish the data?

Yes, according to RedPacketSecurity, Enterprise Security Tech, and other security-research outlets that monitor ransomware leak sites. ApolloMD did not pay the ransom. Qilin claimed 238 GB exfiltrated and made good on its threat to publish when payment was not received. This is a meaningful fact even though ApolloMD’s notification letter does not mention it.

How does the settlement help me?

If preliminary approval is granted, every class member can claim up to $5,000 for documented out-of-pocket losses (or about $75 without documentation) plus a year of CyEx medical-data monitoring. The non-reversionary structure means unclaimed funds go to additional pro-rata distribution or cy pres rather than back to ApolloMD.

Is HealthConsent affiliated with ApolloMD?

No. HealthConsent is an independent health-data privacy service.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.