US pharmacy benefit manager MedImpact confirmed that a ransomware attack was behind recent system outages, after the Qilin gang claimed responsibility and said it had exfiltrated company data.
The San Diego–based firm, which serves more than 50 million members and processes over a million healthcare claims each day, said it had identified “ransomware on certain systems” and immediately began “implementing containment and mitigation measures.”
“MedImpact is currently working to restore impacted systems in a new environment that is segregated from the prior infrastructure and protected by multiple layers of defense,” the company said. It added that pharmacy claims for all clients are now being adjudicated and apologized “for any disruption this issue may cause.”
Qilin’s leak site post contained limited data, mainly internal financial details, commission and claims remittance reports, partner transactions, and a bank account summary.
The attack is another high-profile strike in a record year for Qilin. According to Comparitech, the Russia-based group has claimed more than 700 victims in 2025, making it the most prolific ransomware operation of the past few years.
Ransomware-as-a-Service
“Part of Qilin’s recent onslaught of attacks could be attributed to its ransomware-as-a-service business model,” said Rebecca Moody, head of data research at Comparitech. “After RansomHub went dark in April 2025, its affiliates are rumored to have flocked to Qilin. This coincided with a 280 percent jump in attack claims, from 185 at the end of April 2025 to 701 now.”
A Cisco Talos analysis this week described Qilin as one of the most active and damaging ransomware groups worldwide, publishing information on more than 40 victims a month. The group favors a double-extortion model (encrypting files while threatening to leak stolen data) and has primarily targeted manufacturing, professional services, and wholesale trade.
Talos researchers also noted that Qilin attackers have used open-source tools like Cyberduck to move stolen data to cloud servers and deployed dual encryptors across networks to maximize damage.
MedImpact says its systems are being rebuilt within a new, more secure environment. But the incident highlights how even critical healthcare infrastructure is exposed to an increasingly professionalized ransomware industry.
A Growing Threat to Healthcare Information
Damon Small, Board of Directors, at Xcape Inc, says: “With over 50 million members and daily claim processing affected, the ransomware attack on pharmacy benefit manager MedImpact, is a crucial example of the growing threat to the healthcare information ecosystem.”
Small adds that the the Qilin gang’s participation in the ransomware-as-a-service industry highlights a rise in attacks across critical industries. “Qilin alone claims to have stolen more than 110 TB of data across all attacks [1]. The probable exfiltration of financial operation details, such as commissions, claims, and bank summaries, signals a serious loss of proprietary and partner data, even though MedImpact’s transition to a segregated “new environment” is an essential step in recovery.”
He says entities must view their entire supply chain as a single, vulnerable attack surface due to Qilin’s swift and aggressive growth. “In healthcare, downtime is dangerous—but silence is fatal; contain fast, restore safely, and tell the truth early.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.