08.12.2025
2 min
442
A major healthcare data breach has been confirmed in the United States after a cyber intrusion at Vitas Hospice, the country’s largest for-profit hospice network, exposed personal and medical data of more than 319,000 individuals.
According to the U.S. Department of Health and Human Services (HHS) healthcare breach tracker, Vitas Hospice Services discovered unauthorized access to its systems on October 24, although the attacker had maintained access since late September.
The investigation revealed that the threat actor exploited a compromised third-party vendor account, enabling the download of sensitive data belonging to current and former patients. The exposed information includes names, addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, medical records, insurance details, and next-of-kin contact information.
HHS data confirms that 319,177 individuals were affected. It remains unclear whether the incident involved ransomware, as no known ransomware group has claimed responsibility for the breach.
Vitas Healthcare is owned by Chemed and is considered the largest for-profit hospice provider in the United States. Large-scale breaches in the healthcare sector are not uncommon, with similar incidents often affecting hundreds of thousands or even millions of individuals, frequently due to weaknesses in third-party vendor security.
Healthcare organizations remain prime targets due to the high value of medical and personal data, combined with complex supply chains and external service dependencies.
The Vitas breach once again highlights that third-party access remains one of the most significant cybersecurity risks in healthcare. Even without confirmed ransomware involvement, the incident resulted in a massive exposure of sensitive patient data, reinforcing the need for stricter vendor access controls and continuous security monitoring.
