Catalyst RCM Data Breach 2026, Attorneys Investigating Medical Info Exposure — What Patients Need to Know

Catalyst RCM, a medical billing provider serving diagnostic labs across the U.S., disclosed a November 2025 data breach that exposed patient names, medical histories, diagnoses, and payment card details. Attorneys are now investigating whether affected patients can file a class action lawsuit to recover damages for privacy loss and potential identity theft risks.

What Happened in the Catalyst RCM Security Incident

On November 13, 2025, Catalyst RCM identified suspicious activity within its secure file management system. According to the company’s official breach notice, unauthorized individuals accessed one of its servers between November 8 and November 9, 2025, copying sensitive patient data before Catalyst RCM could stop the intrusion.

The breach affected patients who received diagnostic testing services from Catalyst RCM’s clients, including Vikor Scientific, KorPath, and Korgene—all clinical laboratories specializing in molecular diagnostics and medical testing. Catalyst RCM provides revenue cycle management services, meaning it handles medical billing, coding, and payment processing for healthcare providers nationwide.

Cybersecurity researchers identified the ransomware group Everest as responsible for the attack. According to third-party threat intelligence reports, Everest posted over 11 GB of stolen data on the dark web in mid-November 2025, including electronic medical records (EMRs) and patient billing information from the affected laboratories.

What Information Was Exposed

The compromised data includes highly sensitive personal and medical information that could be used for identity theft or medical fraud. According to Catalyst RCM’s breach notification letter, exposed information may include:

Personal identifiers: Names, dates of birth, and addresses.

Financial data: Payment card information with access codes (CVV numbers).

Protected health information: Medical treatment details, medical histories, diagnosis information, and health insurance details.

This type of data is particularly valuable to criminals because it combines financial access with medical identity information. Medical identity theft can result in fraudulent insurance claims, unauthorized medical procedures billed to victims, and corrupted medical records that affect future healthcare.

Who Is Affected by This Data Breach

Catalyst RCM completed its review of the compromised data in late 2025 and began notifying potentially affected individuals in early 2026. Patients who received services from the following diagnostic laboratories during the breach timeframe may be impacted:

Vikor Scientific, LLC: A CLIA-certified and CAP-accredited clinical diagnostics laboratory based in Charleston, South Carolina, specializing in molecular diagnostics.

KorPath (Independent Clinical Laboratories Inc.): A clinical testing laboratory based in Tampa, Florida.

Korgene: A clinical diagnostics laboratory based in Pennsylvania focused on disease detection platforms.

The exact number of affected individuals has not been publicly disclosed. However, based on the size of the data stolen and the scope of the affected laboratories’ operations, thousands of patients across multiple states likely had their information compromised.

If you received diagnostic testing services from any of these laboratories or received a breach notification letter from Catalyst RCM, your information was likely exposed.

Attorney Investigation Status

Law firms are actively investigating the Catalyst RCM data breach to determine whether affected patients can file a class action lawsuit. Bryson Harris Suciu & DeMay PLLC, working with ClassAction.org, announced its investigation in early February 2026.

Attorneys are examining whether Catalyst RCM failed to implement adequate security measures to protect sensitive patient data entrusted to the company. As of February 2026, no lawsuit has been filed, but investigators are gathering information from affected individuals to build a potential case.

This investigation follows a pattern of similar healthcare data breach litigation. Revenue cycle management companies like Catalyst RCM handle some of the most sensitive patient information but often face scrutiny over whether they maintain cybersecurity standards appropriate for the data they process.

Potential Legal Claims and Litigation

Several legal theories may apply to the Catalyst RCM data breach based on similar healthcare privacy cases:

Negligence: Attorneys may argue Catalyst RCM failed to implement reasonable security measures to protect patient data from unauthorized access, breaching its duty of care to patients whose information it stored.

Failure to Maintain Adequate Security: Healthcare data handlers must maintain industry-standard cybersecurity protections. The successful ransomware attack suggests potential security gaps.

HIPAA Violations: While patients cannot directly sue over HIPAA violations, regulatory agencies like the Department of Health and Human Services Office for Civil Rights can investigate and impose fines. These regulatory actions often run parallel to private lawsuits.

State Privacy Law Violations: Many states have enacted health privacy laws stricter than HIPAA, providing additional legal grounds for patient claims.

Breach of Fiduciary Duty: Patients may argue Catalyst RCM violated its duty to safeguard confidential medical information.

If a class action lawsuit is filed and succeeds, affected patients could receive compensation for losses including credit monitoring costs, time spent addressing the breach, identity theft damages, and loss of privacy. Previous healthcare data breach settlements have awarded anywhere from $50 to several hundred dollars per affected individual, depending on the breach severity and demonstrated harm.

Timeline of the Catalyst RCM Breach

November 8-9, 2025: Unauthorized access occurred on Catalyst RCM’s servers. Data was copied during this two-day window.

November 12-13, 2025: The Everest ransomware group publicly posted stolen data on dark web leak sites, claiming the breach and listing Vikor Scientific, KorPath, and Korgene as victims.

November 13, 2025: Catalyst RCM identified suspicious activity in its file management system and began its internal investigation.

Late 2025: Catalyst RCM completed its review of compromised data to identify which specific patient information was accessed.

Early 2026: Catalyst RCM began sending breach notification letters to affected patients.

February 9, 2026: Attorneys publicly announced their investigation into potential class action litigation.

What Competitors Missed About This Breach

Most coverage focused on the technical aspects of the ransomware attack. However, three critical details deserve more attention:

Multi-Laboratory Impact: This wasn’t a breach of a single healthcare provider. Catalyst RCM’s role as a revenue cycle management vendor means the breach affected patients across multiple independent diagnostic laboratories in different states—expanding the geographic scope and number of victims beyond what initial reports suggested.

Payment Card Data Exposure: Unlike many healthcare breaches that expose only medical records, this breach included payment card information with access codes. This creates immediate financial fraud risk beyond the typical identity theft concerns in medical data breaches.

Ransomware Group Claims: The Everest group’s public posting of stolen data on dark web leak sites means patient information isn’t just compromised—it’s actively being distributed in criminal forums where it can be purchased and exploited.

Common Misconceptions About Healthcare Data Breaches

Misconception 1: “I can sue directly under HIPAA for the breach.”

Reality: HIPAA does not provide a private right of action. Only federal regulators can enforce HIPAA violations. However, patients can sue under state privacy laws, negligence theories, and other legal claims.

Misconception 2: “If I don’t see fraudulent charges immediately, I’m safe.”

Reality: Medical identity theft often goes undetected for months or years. Criminals may file fraudulent insurance claims, obtain prescriptions in your name, or create fake medical records that contaminate your legitimate healthcare history.

Misconception 3: “Only patients who received breach letters are affected.”

Reality: Breach notification letters only go to individuals Catalyst RCM could identify and contact. If your contact information in their system was outdated, you may be affected without receiving official notice.

2025-2026 Healthcare Data Breach Trends

The Catalyst RCM breach reflects broader trends in healthcare cybersecurity:

Ransomware Dominance: Healthcare entities remain prime targets for ransomware groups because they hold valuable data and often pay ransoms to restore operations quickly. The Everest group alone has targeted dozens of healthcare organizations in 2025-2026.

Third-Party Vendor Risks: Many breaches now occur at vendors like Catalyst RCM rather than directly at hospitals or clinics. Patients often don’t know which third-party companies have access to their medical records.

Increasing Litigation: Courts nationwide are seeing more healthcare data breach class actions. Judges increasingly recognize that even without immediate financial harm, patients suffer real damages from medical privacy violations and identity theft risks.

How to Protect Yourself After This Breach

If you received services from Vikor Scientific, KorPath, or Korgene, or if you received a Catalyst RCM breach notification letter, take these immediate steps:

Monitor Your Credit Reports: Request free credit reports from all three bureaus (Equifax, Experian, TransUnion) at AnnualCreditReport.com. Look for unfamiliar accounts or inquiries.

Place Fraud Alerts: Contact one credit bureau to place a fraud alert on your file. The bureau will notify the other two. This makes it harder for identity thieves to open new accounts in your name.

Consider a Credit Freeze: A security freeze prevents new creditors from accessing your credit report, blocking most new account openings. This provides stronger protection than fraud alerts.

Review Medical Records: Request copies of your medical records from your healthcare providers. Look for services, diagnoses, or prescriptions you don’t recognize.

Watch Explanation of Benefits (EOB) Statements: Review insurance EOBs carefully for medical services or prescriptions you never received. Report suspicious claims immediately to your insurer.

Change Passwords: If you used the same password across multiple healthcare portals or payment sites, change them immediately. Use unique, strong passwords for each account.

Monitor Payment Cards: If your payment card information was exposed, contact your card issuer to request a replacement card with a new number. Watch for unauthorized charges.

How to Stay Informed About the Investigation

Attorneys investigating the Catalyst RCM data breach need to hear from affected patients to build a potential class action case. If you believe your information was compromised:

Contact Investigating Attorneys: Visit ClassAction.org’s Catalyst RCM data breach investigation page to submit your information. There is no cost to participate in the investigation or speak with attorneys about your rights.

Check for Lawsuit Filings: Monitor legal news websites and court docket databases for any filed class action complaints. Pacer.gov provides federal court docket access (small fee required).

Save Your Breach Notice: Keep any notification letters from Catalyst RCM in a safe place. These documents prove you were affected and may be needed as evidence.

Document Your Time and Costs: Keep records of time spent addressing the breach, credit monitoring expenses, and any out-of-pocket costs related to identity protection. These may support damage claims in potential litigation.

Where to Find Official Information and Resources

Catalyst RCM Official Statement: Visit catalystrcm.com/notice-of-data-event/ for the company’s official breach announcement.

Federal Trade Commission: The FTC provides identity theft recovery resources at IdentityTheft.gov.

Department of Health and Human Services: HHS tracks major healthcare data breaches at hhs.gov/hipaa/for-professionals/breach-notification.

State Attorneys General: Many states’ attorneys general offices provide data breach resources and accept complaints about inadequate breach responses.

Credit Bureaus:

• Equifax: equifax.com or 1-800-685-1111
• Experian: experian.com or 1-888-397-3742
• TransUnion: transunion.com or 1-800-916-8800

What Information Was Exposed in the Catalyst RCM Data Breach?

The breach exposed names, dates of birth, payment card details with access codes, medical treatment information, medical histories, diagnosis information, and health insurance details. Not all affected individuals had all categories of information compromised, but the breach letter should specify which data types were accessed in your case.

How Do I Know If I’m Affected by This Data Breach?

If you received diagnostic testing services from Vikor Scientific, KorPath, or Korgene during or before November 2025, your information may have been exposed. Catalyst RCM is sending notification letters to affected individuals. You can also contact the settlement administrator or the laboratories directly to confirm whether your data was involved.

Are Attorneys Investigating the Catalyst RCM Data Breach?

Yes. Bryson Harris Suciu & DeMay PLLC, working with ClassAction.org, is actively investigating whether a class action lawsuit can be filed on behalf of affected patients. Attorneys are gathering information from individuals who received breach notifications to determine the scope of potential legal claims.

What Legal Claims Might Apply to This Data Breach?

Potential claims include negligence for failing to implement adequate security measures, violations of state health privacy laws, breach of fiduciary duty, and failure to maintain industry-standard cybersecurity protections. While HIPAA violations cannot be pursued directly by patients, regulatory agencies may investigate separately from any private lawsuit.

What Should I Do If My Medical Information Was Exposed?

Immediately monitor your credit reports, place fraud alerts or credit freezes, review medical records and insurance statements for fraudulent activity, change passwords on healthcare portals, and contact your payment card issuer if financial information was compromised. Save all breach notification letters and document time and costs spent addressing the breach.

Will There Be a Class Action Lawsuit?

As of February 2026, no lawsuit has been filed yet. Attorneys are still investigating and gathering information from affected individuals. Whether a lawsuit is filed depends on the number of affected patients, the extent of damages, and the strength of legal claims. Check with investigating attorneys or legal news sources for updates on case developments.

How Can I Stay Updated on the Investigation?

Contact the attorneys investigating at ClassAction.org’s Catalyst RCM investigation page, monitor legal news websites covering healthcare data breach litigation, check federal court dockets for any filed complaints, and follow updates from affected laboratories or Catalyst RCM itself. There is no cost to contact investigating attorneys or provide your information.

For patients concerned about healthcare privacy violations, understanding MyChart Class Action Lawsuit Claim & Settlement Alert shows how similar healthcare data sharing cases have resulted in compensation for affected patients.

Last Updated: February 10, 2026

Disclaimer: This article provides informational content only and does not constitute legal advice. Consult the investigating attorneys or a qualified attorney for specific guidance about your situation and legal rights.

What to Do Next: If you received services from Vikor Scientific, KorPath, or Korgene, contact investigating attorneys immediately to learn about your legal rights and potential compensation.

Stay informed, stay protected. — AllAboutLawyer.com

About the Author

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah