Horizon Healthcare RCM Breach (IN, 2024-2025): 210,901 Affected by December Ransomware at Indiana Revenue-Cycle Vendor
Horizon Healthcare RCM, a Crown Point, Indiana revenue cycle management business associate, was hit by a December 2024 ransomware attack that exfiltrated data and ultimately affected 210,901 patients of its downstream provider clients. The company reportedly paid the threat actors to delete the data.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 25, 2024
Threat actor first accesses Horizon Healthcare RCM network
Dec 27, 2024
Ransomware detonates; files locked and Horizon identifies the intrusion
May 20, 2025
Horizon completes forensic review of all affected files; scope of exposed individuals determined
Jun 27, 2025
Horizon files HIPAA breach notification with HHS OCR and begins notifying affected individuals (initial count 77,410); simultaneously files with Maine, Massachusetts, New Hampshire, and South Carolina AGs
Jun 27, 2025
Disclosed publicly
Jun 30, 2025
Plaintiff firms (Wolf Haldenstein, Strauss Borrelli, Federman & Sherwood, Cohen & Malad) announce class-action investigations
Nov 26, 2025
Vermont Attorney General publishes Horizon Healthcare RCM consumer notice; total affected count revised to 210,901
Dec 25, 2024
Threat actor first accesses Horizon Healthcare RCM network
Dec 27, 2024
Ransomware detonates; files locked and Horizon identifies the intrusion
May 20, 2025
Horizon completes forensic review of all affected files; scope of exposed individuals determined
Jun 27, 2025
Horizon files HIPAA breach notification with HHS OCR and begins notifying affected individuals (initial count 77,410); simultaneously files with Maine, Massachusetts, New Hampshire, and South Carolina AGs
Jun 27, 2025
Disclosed publicly
Jun 30, 2025
Plaintiff firms (Wolf Haldenstein, Strauss Borrelli, Federman & Sherwood, Cohen & Malad) announce class-action investigations
Nov 26, 2025
Vermont Attorney General publishes Horizon Healthcare RCM consumer notice; total affected count revised to 210,901
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Horizon Healthcare RCM (legal name: Horizon Financial Management, LLC), a revenue cycle management vendor headquartered at 9980 Georgia Street, Crown Point, Indiana, was hit by a ransomware attack on December 27, 2024 that locked files and exfiltrated patient data belonging to its downstream provider clients. The company filed its HIPAA breach notification with HHS on June 27, 2025, and by late November 2025 the confirmed affected population had grown to 210,901 individuals. Horizon publicly indicated it paid the threat actors to delete the stolen data, and no ransomware group has claimed responsibility on a public leak site.
Because Horizon is a business associate, the patients receiving these letters are customers of the hospitals, physician groups, and health systems that hired Horizon to handle billing and claims — not direct customers of Horizon itself.
What happened
An unauthorized actor first accessed Horizon’s network on December 25, 2024. Two days later, on December 27, ransomware encrypted files on certain systems. Horizon identified the intrusion the same day and launched an investigation with external cybersecurity experts. The forensic review determined that files had been “likely copied without permission” between December 26 and 27, 2024.
Horizon completed its internal review of all affected files on May 20, 2025. On June 27, 2025, it filed its HIPAA breach report with HHS OCR (initial count: 77,410) and began mailing notification letters. Simultaneously, it filed with the Attorneys General of Maine, Massachusetts, New Hampshire, and South Carolina. By November 26, 2025, when Vermont published its consumer notice, the total affected count had grown to 210,901.
Horizon’s notice states it “arranged for the party responsible for this matter to delete the copied information” — widely interpreted as a ransom payment, though Horizon did not confirm payment directly. No ransomware group has publicly claimed the attack on any leak site. One secondary source (Digital Watch Observatory) reported a suspected LockBit affiliation, but this has not been corroborated by threat intelligence services or Horizon’s own disclosures and should be treated as unconfirmed.
What was stolen
The data elements vary by individual. For the broad majority, the exposed information was limited to internal Horizon identifiers, customer or patient numbers, and general health insurance claims processing information. For a smaller subset, the breach involved more sensitive elements:
- Names
- Dates of birth
- Social Security numbers
- Driver’s license numbers and passport numbers
- Medical record numbers
- Payment card information
- Checking or other financial account information
- Non-address contact information (email addresses, phone numbers)
Horizon’s own notice stated that “fewer than 500 people” had the more sensitive elements (SSNs, financial account data, government IDs) exposed. The confirmed data categories above are drawn from Horizon’s own notification letter and the Maine Attorney General filing.
Who’s notifying you (and why it’s not your hospital)
Horizon Healthcare RCM is a HIPAA business associate — a vendor that hospitals and physician groups hire to run their revenue cycle (billing, coding, claims). Public materials and Horizon’s own client list have referenced healthcare organizations such as Ascension Health, Bon Secours Health System, Franciscan Alliance, Guthrie Lourdes Hospital, Methodist Hospitals, Adfinitas Health, Ensemble Health Partners, and others as customers of its services.
If you received a Horizon Healthcare RCM letter, the data originated from a provider you saw — not from a company you signed up with directly. The notification letter is being mailed by Horizon under its own letterhead because, as the business associate that suffered the intrusion, it is the entity required to notify under HIPAA. In some cases, Horizon could not identify the covered-entity customer whose data was involved, so some letters were sent without naming the provider.
What Horizon is offering
Horizon is offering 12 months of complimentary identity monitoring through Kroll, a global risk mitigation firm. The monitoring package includes credit monitoring, fraud consultation, and identity theft restoration.
To activate:
- Visit enroll.krollmonitoring.com and use the membership number printed on your notification letter.
- The activation deadline is stated in your specific letter; the template uses a per-recipient deadline date.
For questions, call Horizon’s dedicated assistance line: 1-866-461-8271, Monday through Friday, 9:00 a.m. to 6:30 p.m. Eastern (excluding U.S. holidays). You may also write to: Horizon Healthcare RCM, Attn: Compliance, 9980 Georgia St, Crown Point, IN 46307.
State AG filings
Horizon notified multiple state regulators. Confirmed filings and resident counts reported:
- Maine: 11 residents affected (filed June 27, 2025)
- Massachusetts: 43 residents affected (filed June 27, 2025)
- New Hampshire: 14 residents affected (filed June 27, 2025)
- South Carolina: 5,499 residents affected (filed June 27, 2025; notice posted by SC Consumer Affairs)
- Vermont: consumer notice published November 26, 2025; revised total count of 210,901 disclosed in this filing
Class-action posture
At least eight plaintiff firms have publicly announced investigations or filed complaints connected to the Horizon Healthcare RCM breach. Cohen & Malad, LLP (Indianapolis) is among the most active given Horizon’s Indiana headquarters; Strauss Borrelli PLLC, Federman & Sherwood, Wolf Haldenstein Adler Freeman & Herz LLP, Levi & Korsinsky LLP, Murphy Law Firm, Srourian Law Firm, and Maxey Law Firm have also issued investigation notices.
The expected venue for consolidated litigation is the U.S. District Court for the Northern District of Indiana, where Horizon is based. No docket number for a filed complaint has been publicly confirmed as of this page’s last update.
What to do
- Enroll in Kroll identity monitoring using the membership number in your notification letter. Visit enroll.krollmonitoring.com. The enrollment deadline is printed on your specific letter — do not miss it.
- Freeze your credit at Equifax (1-888-298-0045), Experian (1-888-397-3742), and TransUnion (1-833-799-5355). It is free, reversible, and the single most effective step against new-account fraud.
- File IRS Form 14039 if your Social Security number was exposed, to flag your tax account against fraudulent returns. SSN exposure in healthcare billing breaches frequently surfaces as fraudulent tax filings in the year following the breach.
- Cancel or reissue payment cards if your notification letter indicates checking account or payment card information was involved. Contact your bank directly; do not rely on monitoring alone for financial accounts.
- Watch insurance EOBs and Medicare Summary Notices for services you did not receive. Revenue cycle data is particularly useful to fraudsters seeking to file false insurance claims.
- Keep the notification letter. If a class settlement is reached, you will need the breach reference number and possibly proof you received a letter to submit a claim. Do not pay any fee to participate — legitimate class-action processes are free to class members.
- Stop the ongoing flow of your billing and claims data. HealthConsent files HIPAA restriction requests so the health insurance and treatment information exposed in this breach is not continuously re-shared across revenue cycle networks and clearinghouses.
Continue reading
Sources
- HIPAA Journal — Horizon Healthcare RCM Announces December 2024 Ransomware Attack
- Vermont Attorney General — Horizon Healthcare RCM Data Breach Notice to Consumers (Nov. 26, 2025)
- DataBreaches.net — Horizon Healthcare RCM discloses ransomware attack in December
- BankInfoSecurity — Another Billing Software Vendor Hacked by Ransomware
- Comparitech — Medical billing company Horizon Healthcare notifies 77K people of data breach
- ClassAction.org — Horizon Healthcare RCM Data Breach Notification Letter (PDF)
- Cohen & Malad, LLP — Horizon Healthcare RCM Data Breach Lawsuit
- Federman & Sherwood — Horizon Healthcare RCM Data Breach Investigation
- ClaimDepot — Horizon Healthcare RCM Data Breach Affects 210,901 People
- South Carolina Consumer Affairs — Horizon Healthcare RCM Notification Letter (PDF)
- Paubox — Horizon Healthcare RCM confirms December ransomware attack
- HHS Office for Civil Rights Breach Portal
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal — Horizon Healthcare RCM Announces December 2024 Ransomware Attack
- Vermont Attorney General — Horizon Healthcare RCM Data Breach Notice to Consumers (Nov. 26, 2025)
- DataBreaches.net — Horizon Healthcare RCM discloses ransomware attack in December
- BankInfoSecurity — Another Billing Software Vendor Hacked by Ransomware
- Comparitech — Medical billing company Horizon Healthcare notifies 77K people of data breach
- ClassAction.org — Horizon Healthcare RCM Data Breach Notification Letter (PDF)
- Cohen & Malad, LLP — Horizon Healthcare RCM Data Breach Lawsuit
- Federman & Sherwood — Horizon Healthcare RCM Data Breach Investigation (Maine AG filing details)
- ClaimDepot — Horizon Healthcare RCM Data Breach Affects 210,901 People (state AG resident counts)
- South Carolina Consumer Affairs — Horizon Healthcare RCM Notification Letter (PDF)
- Paubox — Horizon Healthcare RCM confirms December ransomware attack
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.