Two cybercriminal gangs now say they hacked medical billing company Resource Corporation of America and stole personal data earlier this winter, including:
- Names
- Social Security numbers
- Health insurance info
- Medical diagnoses and treatment info
- Dates of birth
- Addresses
RCA recently confirmed hackers breached its systems in December 2025, according to a notice posted on the company’s website.
In January, two high-profile ransomware groups claimed responsibility for breaching RCA: Medusa and Qilin. Medusa demanded $800,000 in ransom, and Qilin didn’t reveal its ransom demand. To prove its claim, Medusa posted sample images of what it says are documents stolen from RCA.
Medusa reposted RCA to its data leak site a second time late last week. The new post says the stolen data has been published and implies previous ransom negotiations failed. Medusa’s new post says, “The company begged us for a long time with several ways to remove their case with little money, but we refused.”
RCA has not acknowledged either ransomware group’s claims and Comparitech cannot independently verify them. We do not know how much Qilin demanded, if RCA paid a ransom, or how attackers breached the company’s network. Comparitech contacted RCA for comment and will update this article if it replies.
“On December 17, 2025, RCA became aware of potentially suspicious activity within certain computers systems,” says the company’s notice.
“Through the investigation, RCA confirmed that unauthorized actors accessed certain RCA computer systems and copied files between December 9, 2025, and December 17, 2025. ”
Who are Medusa and Qilin?
Medusa is a ransomware group that first appeared in September 2019 and debuted its leak site in February 2023, where it publishes stolen data of organizations that don’t pay ransoms. Qilin is a ransomware group that started taking credit for attacks on its data leak site in late 2022.
Both Medusa and Qilin deploy malware that both locks down computer systems and steals data, forcing infected organizations to pay a ransom to restore systems and to not publish stolen data. The gangs both operate ransomware-as-a-service schemes in which customers pay to use their malware and infrastructure to launch attacks and collect ransoms.
Qilin took credit for 182 confirmed ransomware attacks in 2025, and Medusa claimed 36. Both groups have claimed responsibility for previous attacks on healthcare businesses like RCA. Medusa took credit for a breach at Insightin Health, and Qilin claimed 12 such breaches including one at SimonMed Imaging, which notified 1.3 million people as a result.
Ransomware attacks on US healthcare businesses
Comparitech researchers logged 30 confirmed ransomware attacks in 2025 on US healthcare businesses that don’t provide direct care such as pharmaceutical companies, medical billing companies, and medical device makers. Those attacks compromised the personal information of more than 6 million people.
Last week, another medical billing company Catalyst RCMÂ issued data breach notices to at least 139,000 people following a ransomware attack claimed by Everest.
Ransomware attacks on healthcare businesses can both lock down computer systems and steal data. These attacks often compromise data belonging to the business’ clients, such as patient data from hospitals and clinics. They can cripple critical systems and endanger the health, privacy, and security of patients. Targeted companies must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk.
Companies like RCM operating in the healthcare sector have become a key target for hackers because they handle a large amount of personal data and deal with several third-party clients.
About Resource Corporation of America
Resource Corporation of America is a medical billing company based in Houston, Texas.
