A ransomware attack on Horizon Healthcare RCM may have exposed sensitive data linked to healthcare systems across the U.S.
Horizon Healthcare RCM, a revenue cycle management firm based in Crown Point, Indiana, has disclosed that its systems were breached during a ransomware attack identified on December 27, 2024. A forensic investigation confirmed that attackers had access between December 25 and December 27 and exfiltrated sensitive files. Horizon completed its internal review of the compromised data on May 20, 2025, and has begun notifying affected individuals.
Horizon provides billing and administrative services to numerous healthcare organizations. Data compromised in the attack varied by individual but generally included internal identifiers and claims processing information. Fewer than 500 people had additional personal data accessed, such as Social Security numbers, financial account details, or identification numbers.
Although no ransomware group has claimed responsibility, Horizon’s breach notice stated that it “arranged for the party responsible to delete the copied information,” strongly implying a ransom was paid. Paying a ransom is not a guarantee that data has been fully deleted, and some law enforcement operations have shown that stolen data can be retained or resold. So far, Horizon has reported no verified cases of fraud or identity theft linked to the incident.
Affected individuals are being contacted by mail and offered identity monitoring services where applicable.
Horizon has not confirmed which of its client healthcare systems were affected. The company’s website lists several major clients, including Ascension Health, Bon Secours Health System, Franciscan Alliance, and Methodist Hospitals. The extent of impact across these organizations is not yet clear. The breach has not yet appeared on the U.S. Department of Health and Human Services’ Office for Civil Rights breach portal, which is used to track major health data incidents.
Ransomware attacks on healthcare vendors such as Horizon show how third-party service providers remain a point of risk. These vendors often handle billing and medical data across multiple healthcare organizations, meaning a single breach can affect several hospitals and clinics. The Horizon incident also brings attention to how patient data is protected over time and whether current breach response measures are sufficient when external partners are involved.
RCM companies handle the administrative and financial aspects of patient care, including billing, claims processing, and payment collection. They store sensitive data that makes them prime targets for cyberattacks.
When a ransom is paid, attackers often avoid publicizing the breach to keep the transaction discreet. Silence may also reduce pressure from law enforcement or scrutiny from cybersecurity researchers.
There is no way to verify deletion unless law enforcement recovers the servers. Victims may still face extortion or have their data sold, even after paying.
The breach may not have reached the reporting threshold or could be undergoing further review before being published. Timing or incomplete impact assessments can also delay listing.
They should watch for official notifications, enroll in offered identity protection services, and monitor their financial accounts and credit reports for any unusual activity.