ApolloMD, a Georgia-based physician staffing and management group, has confirmed that a May 2025 ransomware attack compromised the sensitive information of 626,540 individuals. The company disclosed the final tally in a filing with the U.S. Department of Health and Human Services (HHS) this week, following a months-long investigation into the intrusion.
The breach was first detected on May 22, 2025, when the company identified unusual activity within its network environment. An investigation, assisted by a third-party cybersecurity firm, determined that an unauthorized party had access to the systems for approximately 24 hours between May 22 and May 23, 2025.
During this period, hackers potentially accessed or acquired files containing electronic protected health information (ePHI). The compromised data included names, addresses, dates of birth, diagnoses, provider names, dates of service, treatment information, and health insurance details. A subset of the affected individuals also had their Social Security numbers exposed.
The Qilin ransomware group claimed responsibility for the attack in June 2025, adding ApolloMD to its dark web leak site and threatening to release data if a ransom was not paid. Industry analysts noted that Qilin was one of the most active ransomware threats in 2025, frequently targeting the healthcare sector.
ApolloMD, which manages more than 125 practices across 18 states and treats approximately 4 million patients annually, began notifying its physician practice clients of the incident in July 2025. Affected entities included eleven managed practices, such as Passaic Hospitalist Services, Aurora Emergency Physicians, and Trinity Emergency Physicians. Individual notification letters were mailed to patients starting September 17, 2025.
The incident ranks as one of the most significant healthcare ransomware attacks of 2025, a year in which the healthcare sector accounted for 22% of all disclosed ransomware attacks. Despite its scale, the breach remains smaller than the attack on Conduent Business Services, which impacted more than 25 million people.
In response to the breach, ApolloMD stated it has implemented enhanced security protocols and is offering complimentary credit monitoring and identity theft protection to individuals whose Social Security numbers were compromised. The company also established a dedicated toll-free response line to handle inquiries from affected patients.