Avosina Healthcare reports ransomware breach impacting over 42k

The revenue cycle and healthcare IT provider disclosed the incident through state regulatory filings following a ransomware attack.

What happened

Avosina Healthcare Solutions, a physician owned company that provides revenue cycle management and healthcare IT services, disclosed a data breach tied to a ransomware attack discovered on July 29, 2025. According to a filing with the Maine Attorney General, attackers accessed portions of Avosina’s systems and exposed patient information belonging to clients of the company. The breach was later claimed by the Qilin ransomware group, which posted about the intrusion on the Tor network in early August. State filings show that 42,261 individuals were affected nationwide.

Going deeper

The compromised data included patient names, addresses, medical information, and health insurance details. Because Avosina supports billing and administrative functions for healthcare providers, the exposed information belonged to patients of its customers rather than Avosina employees. After identifying the attack, the company restored systems using backups and engaged external investigators to determine the scope of access. Notifications to affected individuals were issued in writing after the review was completed, and disclosures were submitted to multiple state regulators as the investigation progressed.

What was said

Avosina stated that it took steps to contain the incident, restore services, and strengthen network security following the ransomware attack. The company reported the matter to appropriate authorities and said it worked with security specialists to assess the impact. A public notice describing the data privacy event was also issued. Avosina advised affected individuals to remain alert for suspicious communications and to monitor financial and insurance activity for signs of misuse.

In the know

Details published by the U.S. Department of Health and Human Services describe Qilin as a ransomware-as-a-service operation that has been active since 2022 and continues to target healthcare organizations alongside other industries. The group is believed to originate from Russia and relies on affiliates who carry out attacks in exchange for a share of ransom payments, typically using double-extortion tactics that threaten public data leaks.

The operation initially launched under the name “Agenda” before rebranding later in 2022. Reporting from HHS notes that Qilin has increased its activity over the past year, recruiting affiliates through underground forums and deploying ransomware variants written in Golang and Rust. Investigators say the group commonly gains access through spear phishing and the abuse of remote monitoring tools, and it has claimed responsibility for more than 60 attacks since early 2024.

The big picture

The American Hospital Association traces the first known ransomware incident back to 1989, when a Trojan horse was mailed to AIDS researchers. For years afterward, ransomware was largely seen as a low-level financial crime, typically carried out by opportunistic or amateur hackers, with consequences limited to monetary loss rather than real-world harm.

That view no longer reflects the reality facing healthcare and life sciences organizations. The AHA notes that modern ransomware attacks are driven by well-resourced, professional cybercriminal groups that operate at scale and, in some cases, receive protection or support from foreign governments. These actors are focused on disruption as much as profit, targeting hospitals and health systems in ways that can interfere with care delivery and daily operations. Some groups function as mercenaries, offering ransomware-as-a-service to clients who lack the technical capability to carry out attacks themselves. As profits grow, attackers reinvest in more advanced malware and infrastructure, making attacks harder to prevent and perpetrators more difficult to trace.

FAQs

Why are healthcare service vendors frequent ransomware targets?

They often support multiple provider organizations and maintain centralized systems that contain patient and insurance data.

Does this type of breach affect only the vendor?

No. Patients of the vendor’s healthcare clients can be impacted even if the provider’s own systems were not compromised.

What risks are associated with exposed medical and insurance data?

Such data can be misused for identity theft, insurance fraud, or targeted phishing schemes.

How do ransomware groups pressure organizations after an attack?

Groups often post claims on dark websites and threaten to release stolen data to force payment.

What steps should affected individuals consider?

They can review breach notices carefully, monitor insurance and financial accounts, watch for suspicious communications, and consider fraud alerts or credit freezes if appropriate.