Active breach tracker Clear Lake Shores, TX Disclosed February 18, 2026

Resource Corporation of America Data Breach 2026 (Medusa + Qilin Double Extortion): 70 GB of Uninsured-Patient Eligibility Records Leaked. What To Do

Resource Corporation of America (RCA), a Texas-based revenue cycle vendor that screens uninsured hospital patients for Medicaid, charity care, and ACA coverage, was hit by both Medusa AND Qilin ransomware groups in December 2025. ~70 GB of eligibility records leaked publicly after RCA refused an $800,000 ransom. Names, Social Security numbers, household income, household composition, Medicaid IDs, and diagnoses exposed. No credit monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 9, 2025

Unauthorized network access and file exfiltration begin

Dec 17, 2025

RCA discovers the intrusion; federal law enforcement notified

Jan 4, 2026

Medusa lists RCA on dark-web leak site; ~30 sample documents posted; $800K ransom demand

Jan 12, 2026

Qilin separately claims RCA on its leak site (second, distinct actor)

Jan 20, 2026

Medusa publishes ~70 GB archive after RCA refuses ransom

Feb 13, 2026

HHS OCR submission (501 placeholder; review ongoing)

Feb 18, 2026

Public disclosure / notice issuance

Feb 18, 2026

Disclosed publicly

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical diagnosis and treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Home address Health insurance information Benefits eligibility data Inferred (typical of eligibility-vendor workflows, not enumerated in entity notice): income documents, household composition, Medicaid application data, financial-hardship attestations

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Srourian Law Firm SLF (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Resource Corporation of America (RCA) is a Texas-based revenue cycle management vendor headquartered at 1120 Marina Bay Drive, Clear Lake Shores. RCA specializes in third-party eligibility / enrollment for hospitals — screening uninsured and self-pay patients into Medicaid, SSI/SSDI, charity care, COBRA, and ACA coverage programs. The company claims a ~93% certification success rate and operates a national footprint. As a vendor handling patient PHI on behalf of hospital clients, RCA is a HIPAA business associate.

The data RCA holds by function is particularly sensitive: SSN, DOB, address, household income, household composition, Medicaid IDs, insurance info, and medical diagnosis / treatment — because eligibility screening requires verifying financial hardship and medical condition.

Between December 9 and 17, 2025, an unauthorized actor accessed RCA’s network and exfiltrated files. RCA discovered the intrusion on December 17, 2025 and notified federal law enforcement the same day.

This is one of the rare double-extortion incidents claimed by two separate ransomware groups:

  • January 4, 2026: Medusa posted RCA on its dark-web leak site with ~30 sample documents and demanded $800,000 ransom
  • January 12, 2026: Qilin separately claimed RCA on its leak site

Two distinct claims suggest either an initial-access-broker handoff (Medusa bought the foothold from someone who also sold to Qilin) or two independent intrusions during the same compromise window. Either way, two threat groups now hold RCA’s data.

On January 20, 2026, after RCA refused to pay, Medusa published the ~70 GB archive publicly. Medusa’s statement: “The company begged us for a long time…but we refused.”

RCA filed with HHS OCR on February 13, 2026 at the 501-individual reporting floor, with explicit language that “this review process is currently ongoing, and RCA will supplement this notice upon completion of the review.” Given the 70 GB exfiltration volume and the eligibility-vendor scale across multiple hospital clients, the final affected count is almost certainly 5-6 figures or higher.

Downstream hospital clients affected

RCA serves hospitals nationwide as a business associate, but no specific hospital client has been publicly named as a downstream covered entity in this breach. Medusa’s leak archive likely contains identifiable client information in document metadata and contents. Expect separate OCR filings from downstream hospital clients to surface over the coming weeks as those covered entities receive the data and complete their own notifications.

If you were screened by RCA at a hospital admission (any uninsured / charity-care / Medicaid enrollment process during an ER visit, inpatient stay, or outpatient procedure), your records were potentially handled by RCA.

What was stolen

Per RCA’s notice (officially confirmed):

  • Full name, home address
  • Date of birth
  • Social Security number
  • Health insurance information
  • Medical diagnosis and treatment information
  • Benefits eligibility data

Inferred from RCA’s eligibility-vendor function (not enumerated in the entity notice but typical for this workflow):

  • Income documents (paystubs, tax returns)
  • Household composition (family members and dependents)
  • Medicaid application data
  • Financial-hardship attestations

What RCA is offering

  • Systems secured; external cybersecurity specialists engaged; federal law enforcement notified
  • Toll-free call center: 844-726-0950 (Monday to Friday, 9 a.m. to 5 p.m. Central)
  • Mailing address for inquiries: 1120 Marina Bay Drive, Clear Lake Shores, TX 77565

RCA’s notice does NOT offer complimentary credit monitoring or identity theft protection — patients are directed to self-help fraud alerts and credit freezes. This is unusual given the SSN exposure and the 70 GB public leak, and is likely a focal point of class-action litigation.

A particularly vulnerable population

RCA’s patient population is by definition uninsured or under-insured low-income hospital patients — the people screened for charity care, Medicaid, or ACA enrollment because they couldn’t afford their hospital bill. For this population:

  • No existing credit monitoring infrastructure — many patients won’t have access to a credit-freeze workflow without help
  • Mixed-status families may face immigration-enforcement exposure from SSN data combined with household-composition records
  • Medicaid enrollment fraud — claims billed under your member ID can disrupt your benefits eligibility
  • Income document exposure creates risk of targeted financial scams referencing real income figures

What to do

  1. Read your specific notification letter — if you received eligibility screening at any hospital in 2024-2025 and got a letter mentioning Resource Corporation of America, your records are in scope.
  2. Place free credit freezes at Equifax, Experian, TransUnion. RCA is NOT providing monitoring. Freezes are free at all three bureaus.
  3. File IRS Form 14039. Full SSN is in scope and has been publicly leaked.
  4. Get free annual credit reports at annualcreditreport.com and check monthly via your bank or card issuer’s free monitoring.
  5. Watch your Medicaid Notice of Action statements for unfamiliar claims and call your state Medicaid Member Services if you see anything unauthorized.
  6. If you are a mixed-status family with household-composition records potentially exposed, consider consulting NILC, ACLU, or your local immigrant legal services organization.
  7. Stop the ongoing flow of your eligibility-screening data. HealthConsent files HIPAA restriction requests covering revenue cycle management and uninsured-patient enrollment vendor pathways.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.