Vikor Scientific Data Breach: 139,964 Patients Affected by Third-Party Ransomware Attack

Vikor Scientific, LLC (now operating as Vanta Diagnostics), a molecular diagnostics company based in Charleston, South Carolina, has reported a significant data breach affecting 139,964 individuals to the Department of Health and Human Services. The breach, which occurred in November 2025, resulted from a ransomware attack on the company's third-party revenue cycle management vendor.

What Happened

Between November 8 and November 9, 2025, an unauthorized party gained access to Catalyst RCM's secure file management system using valid login credentials. Catalyst RCM is a third-party provider that handles medical coding and billing services for Vikor Scientific and other healthcare entities.

The breach was classified as a hacking/IT incident that compromised both network servers and other systems. Vikor Scientific reported the incident to HHS on February 6, 2026, nearly three months after the breach occurred, which falls within the required 60-day notification timeline for covered entities.

Interestingly, this breach didn't just affect Vikor Scientific patients. The ransomware attack on Catalyst RCM also impacted two other companies: KorGene and KorPath, suggesting this was a significant attack on the revenue cycle management provider that had cascading effects across multiple healthcare organizations.

Who Is Affected

The breach impacted 139,964 individuals whose personal and protected health information was stored within Catalyst RCM's systems. These patients likely received healthcare services from Vikor Scientific, a molecular diagnostics company that specializes in laboratory testing and diagnostic services.

Vikor Scientific has since rebranded as Vanta Diagnostics, though the breach occurred while the company was still operating under its original name. Patients who received diagnostic services from the company prior to November 2025 should consider themselves potentially affected by this incident.

Breach Details

The attack targeted Catalyst RCM's secure file management system, which contained sensitive patient information processed as part of the company's medical coding and billing operations. The fact that attackers used "valid login credentials" suggests this may have been a credential-based attack, possibly involving stolen or compromised user accounts.

The breach location was identified as both "Network Server" and "Other," indicating the attack may have spread across multiple systems within Catalyst RCM's infrastructure. This type of multi-system compromise is typical of ransomware attacks, where threat actors often move laterally through networks to maximize their impact and data access.

While the breach notice mentions this was a ransomware attack, specific details about the ransomware group responsible, the volume of data potentially exfiltrated, or any ransom demands have not been disclosed in the available documentation.

What This Means for Patients

For the nearly 140,000 individuals affected, this breach represents a significant privacy incident involving their protected health information (PHI). When revenue cycle management systems are compromised, the exposed data typically includes:

• Patient names and contact information
• Social Security numbers
• Insurance information
• Medical billing codes and treatment details
• Financial account information
• Date of birth and demographic data

The specific types of information compromised in this incident have not been detailed in the available breach notification, but patients should assume that comprehensive billing and demographic information may have been accessed.

The three-month timeline between the breach occurrence (November 2025) and the HHS report (February 2026) suggests that the investigation and notification process was complex, possibly due to the third-party nature of the incident and the need to coordinate between multiple affected entities.

How to Protect Yourself

If you believe you may have been affected by the Vikor Scientific/Catalyst RCM breach, consider taking these protective steps:

Monitor Your Accounts: Regularly review your medical bills, explanation of benefits statements, and insurance communications for any unauthorized services or suspicious activity.

Check Credit Reports: Since billing systems often contain Social Security numbers and personal identifiers, monitor your credit reports for unauthorized accounts or inquiries.

Watch for Phishing: Be alert for emails, calls, or texts claiming to be related to this breach that ask for personal information or immediate action.

Document Everything: Keep records of any suspicious activity that might be related to this breach, including dates, amounts, and descriptions of unauthorized charges or communications.

Contact Providers: If you notice any discrepancies in your medical records or billing, contact your healthcare providers and insurance companies immediately.

The breach notice indicates that affected individuals should have received direct notification from Vikor Scientific. If you believe you should have been notified but haven't received communication, contact the company directly for clarification.

Prevention Lessons for Healthcare Providers

The Vikor Scientific breach highlights critical vulnerabilities in third-party vendor relationships that healthcare organizations must address:

Vendor Risk Management: Healthcare providers must implement comprehensive due diligence processes for all third-party vendors, especially those handling PHI. This includes regular security assessments, penetration testing, and ongoing monitoring of vendor security postures.

Credential Security: The fact that attackers used "valid login credentials" underscores the importance of strong authentication measures, including multi-factor authentication, privileged access management, and regular credential rotation.

Business Associate Agreements: Ensure that all business associate agreements (BAAs) with third-party vendors include specific security requirements, incident response procedures, and clear notification timelines.

Incident Response Planning: Develop and regularly test incident response plans that account for third-party breaches, including communication protocols and patient notification procedures.

Network Segmentation: Implement proper network segmentation to limit the potential impact of credential-based attacks and prevent lateral movement within systems.

The involvement of multiple companies (Vikor Scientific, KorGene, and KorPath) in this single vendor breach demonstrates how third-party incidents can have widespread impacts across the healthcare ecosystem.

As ransomware attacks continue to target healthcare organizations and their vendors, robust cybersecurity measures and comprehensive vendor management programs are essential for protecting patient data and maintaining HIPAA compliance.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.