A ransomware attack on revenue cycle management vendor Catalyst RCM exposed electronic protected health information (ePHI) associated with Vikor Scientific and affiliated laboratories and was reported to federal regulators as affecting 139,964 individuals.
Incident Overview
Vikor Scientific, a molecular diagnostics company based in Charleston, South Carolina that has rebranded as Vanta Diagnostics, disclosed a data breach connected to a security incident involving its vendor Catalyst RCM. The breach also involved the molecular testing laboratory KorGene and the anatomical pathology laboratory KorPath in Tampa, Florida. The affected data related to individuals whose information was processed through billing and coding services handled by Catalyst RCM.
The breach was reported to the U.S. Department of Health and Human Services Office for Civil Rights as involving the ePHI of 139,964 individuals.
Timeline of Unauthorized System Access
Suspicious activity within Catalyst RCM’s secure file management system was identified on or around November 13, 2025. An investigation determined that an unauthorized login was used to access a system that provided access to one of Catalyst RCM’s servers.
The unauthorized access occurred between November 8, 2025, and November 9, 2025. The investigation confirmed that files were copied from the server during this access. A review of the affected system was conducted to determine whether protected health information (PHI) had been exposed or removed. The review concluded on December 12, 2025.
Data Elements Involved
The compromised information varied by individual. The exposed data may include names combined with the following personal or medical data elements: dates of birth, diagnosis information, medical treatment data and medical history, medical insurance information, and payment card information with access code.
The files containing this information were stored within Catalyst RCM’s systems because the company provided revenue cycle management services that included medical coding and billing functions for Vikor Scientific and its affiliated laboratories.
Third Party Vendor Role In The Breach
The investigation determined that Vikor Scientific, KorGene, and KorPath were not directly attacked by the threat actor. The unauthorized access occurred within the systems operated by Catalyst RCM, which maintained the files for billing and coding services performed on behalf of those organizations.
The attackers used compromised login credentials to gain access to the vendor’s file management system. Then, they copied files stored on the server during the period of unauthorized access.
The Everest ransomware group listed Vikor Scientific, KorPath, and KorGene on its data leak website in November 2025 and later published data associated with the breach.
Notification and Response Actions
Catalyst RCM published a substitute breach notification on its website and issued notification letters to affected individuals on behalf of the impacted healthcare organizations. Notification letters to affected individuals were dated February 6, 2026. The vendor also reported that security policies, procedures, and protocols were updated following the incident.
The number of individuals affected may change because it remains unclear whether the reported figure of 139,964 individuals represents the total number affected across all three laboratories or only those attributed to the reporting entity. Catalyst RCM, KorPath, and KorGene had not submitted separate breach reports detailing the number of individuals affected through their systems at the time of the reporting.