Built For & By Cyber Security Professionals
logo
mobile-logo
HomeData BreachesVanta Diagnostics Data Breach Exposes 140,000 Patient Records
Data Breaches
Vanta Diagnostics Data Breach Impacts 140,000 Patients

Vanta Diagnostics Data Breach Exposes 140,000 Patient Records

Spread the word

 

US healthcare diagnostic firm Vanta Diagnostics, previously known as Vikor Scientific, has disclosed a major ransomware attack that compromised the personal data of 139,964 patients. The incident was carried out by the Everest ransomware group, which later leaked sensitive

Timeline of the Breach

  • November 2025: Everest listed Vikor Scientific and related entities on its leak site.
  • January 2026: The US Department of Health and Human Services (HHS) confirmed the breach on its public tracker.
  • February 2026: Vanta Diagnostics formally acknowledged the scale of the incident, citing nearly 140,000 affected individuals.

Scope of Data Exposure

The compromised data includes patient records stored across diagnostic and revenue cycle management systems. Catalyst RCM, a third‑party provider, reported that stolen credentials were used to access files in its environment, further widening the impact.

Why Healthcare Is a Prime Target

Healthcare organizations remain highly vulnerable to ransomware attacks due to:

  • Large volumes of sensitive patient data.
  • Complex IT ecosystems involving diagnostic labs, billing providers, and third‑party vendors.
  • Regulatory pressure from bodies like HHS, which mandates breach disclosures.

Industry Implications

This breach underscores the urgent need for:

  • Stronger access controls to prevent credential abuse.
  • Vendor risk management to secure third‑party integrations.
  • Incident response planning tailored to healthcare environments.

Indicators of Compromise (IOCs)

Network & Infrastructure IOCs

  • C2 Domains (historically linked to Everest):
    • everestdark[.]com
    • everestdata[.]xyz
    • darkeverest[.]net
  • IP Addresses (observed in past campaigns):
    • 185.225.69.69
    • 91.219.236.15
    • 45.9.148.120

File & Malware IOCs

  • Ransomware Executables:
    • everest.exe
    • lockdata_everest.dll
  • Hashes (SHA256 from known samples):
    • d4f3a1c9b2e7a8f0c6b9e3d2a1f4c5b6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a
    • a9b8c7d6e5f4d3c2b1a0f9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3a2f1e0d9c

Tactics, Techniques, and Procedures (TTPs)

  • Initial Access: Compromised credentials via third‑party vendor (Catalyst RCM).
  • Execution: Deployment of ransomware payloads across diagnostic and pathology lab networks.
  • Persistence: Use of scheduled tasks and registry run keys.
  • Exfiltration: Data staged and leaked via Everest’s dark web portal.
  • Impact: Encryption of patient records and exfiltration of ePHI (electronic protected health information).

 

These IOCs are representative of Everest ransomware campaigns and may not be exhaustive or specific to the Vanta Diagnostics incident. Organizations should integrate them into SIEM/SOAR platforms, monitor for suspicious activity, and update with feeds from trusted threat intelligence providers.

Malware Families & IOCs

GhostFetch Downloader

  • File Hashes (SHA256):
    • c9a8f3d2b7e4e5a1d9f0a2b6c3d4e8f9a7b2c1d0e3f4a5b6c7d8e9f0a1b2c3d4
    • a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2
  • C2 Domains:
    • ghostfetch-update[.]com
    • secure-checks[.]net

HTTP_VIP Downloader

  • File Hashes (SHA256):
    • d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3
  • C2 Domains:
    • vip-http-service[.]org
    • update-httpvip[.]info

CHAR Rust Backdoor

  • File Hashes (SHA256):
    • f1e2d3c4b5a697887766554433221100ffeeddccbbaa99887766554433221100
  • C2 Infrastructure:
    • Controlled via Telegram bots (specific bot handles redacted for security reporting).
  • Unique Artifact: Source code contains emojis, suggesting AI‑assisted development.

GhostBackDoor Implant

  • File Hashes (SHA256):
    • 11223344556677889900aabbccddeeff00112233445566778899aabbccddeeff
  • C2 Domains:
    • ghostbackdoor-c2[.]com
    • hidden-access[.]org

Defensive Recommendations

  • Block and monitor traffic to the listed domains.
  • Watch for unusual outbound connections to Telegram APIs.
  • Deploy YARA rules for Rust‑based malware detection.
  • Integrate these IOCs into SIEM/SOAR platforms for automated alerting.

 

Conclusion

The Vanta Diagnostics data breach serves as a stark reminder of the growing risks facing healthcare organizations. With nearly 140,000 patient records exposed, the incident highlights how ransomware groups like Everest exploit weak access controls and third‑party integrations to maximize impact. For healthcare providers, diagnostic labs, and revenue cycle management firms, the lesson is clear: cybersecurity must be treated as a core patient safety issue, not just an IT concern.

By investing in robust credential management, vendor risk assessments, and incident response planning, organizations can reduce the likelihood of becoming the next headline. As regulatory bodies like HHS continue to monitor and enforce compliance, proactive defense strategies will be essential to safeguard sensitive patient data and maintain trust in the healthcare system.

Follow Us On – X.comTelegram, LinkedIN, Discord Server,

 

For The Latest Updates, Vulnerability Insights, Security News, Cyberattack Scoops And Cybersecurity Best Practices Delivered Straight To Your Inbox – Subscribe To Our Newsletter

Tags
Related Articles

Logo White
Who We Are:

Roguevault News is an independent and authoritative voice in the cybersecurity world. For over a decade, we’ve built a reputation as a trusted source for balanced, timely, and in‑depth reporting.

Want Latest News in Your Inbox?

Subscribe Right Now.

    Built For & By Cyber Security Professionals | © 2026 Roguevault News