A Russia-based cybercriminal group says it has accessed financial data from one of the largest US pharmacy benefit managers.
According to Information Security Buzz, Qilin, a ransomware group linked to hundreds of attacks in 2025, has claimed responsibility for breaching MedImpact, a U.S.-based pharmacy benefit manager that serves over 50 million members. The group posted partial data on its leak site, including financial summaries, commission reports, and claims-related remittance logs.
MedImpact later confirmed the presence of ransomware on some of its systems and reported that containment and recovery measures are in progress. While the leaked files do not appear to contain detailed personal health information, the incident is under investigation, and MedImpact is working with a national cybersecurity firm.
The posted documents show limited but sensitive business data: transaction logs, account balances, and intercompany commission summaries. No patient data has been published so far, but researchers suggest the attackers may be withholding more sensitive material for future leverage.
MedImpact stated that affected systems are being rebuilt in a separate environment with enhanced security layers. The company has notified law enforcement and launched a formal investigation.
Researchers noted that while Qilin’s claims appear credible, the leaked data primarily exposes financial activity and operational strategies. If patient data were exfiltrated, it has not yet been shared publicly.
A spokesperson for MedImpact said the company is "working to restore impacted systems in a new environment that is segregated from the prior infrastructure and protected by multiple layers of defense." Researchers added that the leaked information, though not deeply personal, could still provide intelligence to competitors or future attackers.
Qilin’s own post did not mention a ransom demand or confirm how much data was accessed beyond the initial samples.
According to Cybernews, Qilin is “a prolific Russia-based group” that first appeared in 2022 and “claimed 45 attacks” the following year. By 2024, its victims had surged to 179, and that number “quadrupled this year,” marking one of the sharpest growth trends among ransomware operations. Cybernews reported that recent Qilin attacks have disrupted major companies such as Asahi Holdings, Japan’s largest brewer, and Volkswagen Group France, where the gang allegedly exfiltrated “about 2,000 files and 150GB of data.” The rapid escalation of Qilin’s operations shows how aggressive ransomware groups are scaling globally, targeting both industrial and corporate sectors with increasing precision and impact.
A PBM is a third-party administrator of prescription drug programs, helping manage drug costs and insurance claims for health plans, employers, and government agencies. MedImpact provides these services to over 50 million members.
Qilin is a Russia-based ransomware group known for a sharp increase in attacks since 2022. They target high-profile companies across sectors and often use stolen data as leverage for ransom demands.
Even without personal health details, financial data can reveal internal operations, spending patterns, and partnerships, information that can be used by competitors or for follow-up cyberattacks.
MedImpact has partnered with a leading cybersecurity firm, reported the breach to authorities, and is rebuilding affected systems in a segregated, more secure environment.
Yes. Although Qilin’s initial leak did not include personal health data, the group may be withholding it for future extortion attempts or negotiations. Investigations are ongoing.