Active breach tracker Arkansas Disclosed August 1, 2025

Highlands Oncology Group Data Breach 2025: 111,766 Cancer Patients Exposed in Medusa Ransomware Attack. What Was Stolen and What To Do

Highlands Oncology Group, a six-location cancer-care provider in Northwest Arkansas, was breached by the Medusa ransomware group. Attackers had access to the network from January 21 to June 2, 2025. Notification letters mailed August 1, 2025. The HHS OCR portal lists 111,766 affected; the Maine AG filing lists 113,575. Here is what was taken and what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 21, 2025

Unauthorized network access begins

Jun 2, 2025

Intrusion detected; Highlands begins containment and engages forensics + law enforcement

Jun 19, 2025

Medusa ransomware group publicly claims responsibility, posts sample screenshots on dark-web extortion portal with $700,000 demand and July 21 deadline

Jul 21, 2025

Medusa ransom deadline ($700,000) expires; listing subsequently removed from Medusa leak site (implying ransom may have been paid)

Aug 1, 2025

Filed with HHS OCR (111,766), Maine AG (113,575), New Hampshire AG, and Massachusetts AG; notification letters begin mailing

Aug 1, 2025

Wyckoff v. Highlands Oncology Group, P.A. filed (5:25-cv-05166, W.D. Ark.)

Aug 1, 2025

Disclosed publicly

Aug 4, 2025

Texas AG breach disclosure filed (504 Texas residents affected)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license or state identification number Passport number

02

Health records

Don't expire and can't be reissued

Medical treatment information (oncology diagnoses and treatment records) Medical record number

03

Contact & insurance

Phishing + targeted scams

Full name Credit or debit card number Financial account number Patient account number Health insurance policy information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli Markovits, Stock & DeMarco Pittman Dutton Hellums Bradley & Mann McShane & Brady Schubert Jonckheer & Kolbe The Lyon Firm Console & Associates Schall Law Firm Federman & Sherwood (investigating) Migliaccio & Rathod LLP (investigating) Edelson Lechtzin LLP (investigating) Srourian Law Firm / SLFLA (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Highlands Oncology Group is a comprehensive cancer-care practice operating six locations across Northwest Arkansas and North Central Arkansas: Rogers (two campuses at South 52nd Street and Pinnacle Hills), Springdale, Fayetteville (North Hills and Fayetteville Radiation), and Mountain Home at Baxter Health. On August 1, 2025, the practice began notifying patients that an unauthorized actor had been inside its network for more than four months. The Medusa ransomware group claimed responsibility on June 19, 2025, posting sample screenshots on its dark-web extortion portal and setting a $700,000 deadline of July 21, 2025. After that deadline passed, Medusa’s listing for Highlands was removed from the extortion site. Security researchers note that listing removal after a deadline is consistent with ransom payment; Highlands has not confirmed or denied whether payment was made.

Two affected-individual counts exist in the public record. The HHS Office for Civil Rights breach portal lists 111,766 affected individuals. The parallel filing with the Maine Attorney General lists 113,575. Multi-state AG filings were also made with the New Hampshire, Massachusetts, Texas, Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, Vermont, Washington, and California Attorney General offices, confirming national scope. The discrepancy between the OCR and Maine AG counts is common in healthcare breach reporting and typically reflects de-duplication rather than a change in scope.

Timeline

  • January 21, 2025 — Unauthorized actor first gains access to the Highlands Oncology network, per the forensic investigation cited in the notification letter.
  • June 2, 2025 — Highlands detects the intrusion. Files and systems become inaccessible. Containment begins. Law enforcement and a third-party forensic firm are engaged.
  • June 19, 2025 — Medusa ransomware group publicly claims the attack on its dark-web extortion portal, posting sample screenshots of stolen data and setting a $700,000 ransom demand with a July 21, 2025 deadline.
  • July 21, 2025 — Ransom deadline expires. Medusa’s listing for Highlands is subsequently removed from the extortion site, consistent with ransom payment (unconfirmed by Highlands).
  • August 1, 2025 — Highlands files breach reports with the HHS OCR (111,766 individuals), the Maine AG (113,575), the New Hampshire AG, and the Massachusetts AG. Individual notification letters begin mailing the same day. Wyckoff v. Highlands Oncology Group, P.A. (Case No. 5:25-cv-05166) is filed in the Western District of Arkansas.
  • August 4, 2025 — Texas AG breach disclosure filed; at least 504 Texas residents confirmed affected.
  • August 2025 onward — Plaintiff firms publicly announce class-action investigations.

What was exposed

The notification letter confirms that the data elements potentially accessed or acquired between January 21 and June 2, 2025 include, depending on the individual:

  • Full name
  • Date of birth
  • Social Security number
  • Driver’s license or state identification number
  • Passport number
  • Credit or debit card number
  • Financial account number
  • Medical treatment information — for an oncology practice, this category encompasses cancer diagnoses, staging, chemotherapy and radiation regimens, surgical history, and other treatment plan detail
  • Medical record number
  • Patient account number
  • Health insurance policy information

Oncology records carry a category of sensitivity that generic healthcare breaches do not. Cancer diagnosis data, treatment-plan documentation, and any genetic or biomarker testing tied to targeted therapy are the kind of records that affect insurability, employment, and family-member risk profiling, and they are not recoverable. A credit-monitoring product cannot un-disclose a Stage III diagnosis.

The notification letter does not specifically itemize genetic-testing results or tumor-genomic data, but oncology medical records routinely contain that information as part of treatment-plan documentation, and the “medical treatment information” category as worded in the notice does not exclude it.

What Highlands is offering

Affected individuals whose Social Security number or driver’s license number was involved are being offered 12 months of complimentary identity-protection services through Experian IdentityWorks Credit 3B, which includes three-bureau credit monitoring, identity restoration support, and up to $1 million in identity-theft insurance.

Enrollment instructions and the activation code are included in each individual’s notification letter. The dedicated call center number for questions is printed on the letter as well.

Highlands has also stated that it has reviewed and strengthened its security posture, including additional safeguards and monitoring. This is the second ransomware incident the practice has reported publicly. A November 2023 ransomware attack on Highlands Oncology was reported to HHS as affecting 55,297 individuals.

Class-action posture

At least one federal class action has been filed and several additional plaintiff firms are publicly investigating claims.

Filed: Wyckoff v. Highlands Oncology Group, P.A., Case No. 5:25-cv-05166, U.S. District Court for the Western District of Arkansas. The complaint is on the Justia docket.

Public investigations announced by: Strauss Borrelli; Markovits, Stock & DeMarco; Pittman Dutton Hellums Bradley & Mann; McShane & Brady; Schubert Jonckheer & Kolbe; The Lyon Firm; Console & Associates; Schall Law Firm; Edelson Lechtzin LLP; Federman & Sherwood; Migliaccio & Rathod LLP; and Srourian Law Firm (SLFLA), among others.

Plaintiffs’ theories typically include negligence, breach of implied contract, breach of fiduciary duty, and violations of state consumer-protection statutes. Recurring factual emphases in the public investigation notices include the 133-day dwell time, the prior 2023 ransomware incident at the same entity, the multi-state scope of AG notifications, and the sensitivity of oncology records. ClassAction.org’s investigation has concluded; the page is preserved for reference and directs potential plaintiffs to independent legal counsel.

What to do

This week:

  1. Activate the Experian IdentityWorks Credit 3B coverage using the activation code in your notification letter. The offer is time-limited; enroll within the window stated in your letter.
  2. Place a free credit freeze at Equifax, Experian, and TransUnion. With SSN, driver’s license, passport, and financial-account information all in scope, a freeze is the highest-leverage defensive step.
  3. Review your insurance Explanation of Benefits statements for any oncology, infusion, imaging, lab, or pharmacy claims you do not recognize. Medical identity theft using exposed insurance data is the underreported risk in oncology-data breaches.

This month:

  1. Stop the ongoing flow of your oncology data downstream. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the diagnoses and treatment data exposed in this breach are not continuously re-shared and sold by data brokers and ad-tech platforms.
  2. Consider whether to join the class. Wyckoff v. Highlands Oncology Group, P.A. is the filed case; multiple firms are accepting affected individuals into their investigations. We are not a law firm and do not give legal advice.
  3. Keep the notification letter. It contains your activation code and is the document plaintiff firms and the OCR will reference if you make a claim or complaint.

Sources

HealthConsent is independent and is not affiliated with Highlands Oncology Group or any of the firms listed above.

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.