The Billing Loophole: 140,000 Patient Records Leaked in Vanta/Vikor Scientific Breach

In yet another reminder that third-party vendors are the soft underbelly of cybersecurity, Vanta Diagnostics (formerly known as Vikor Scientific) has confirmed that nearly 140,000 individuals had their sensitive medical and financial data stolen.

The breach didn't target the diagnostic lab directly. Instead, it struck Catalyst RCM, a third party revenue cycle management firm responsible for Vikor's medical coding and billing.

The Incident: Credentials and Cold Storage

The breach was traced back to a series of unauthorized logins between November 8 and November 9, 2025. An investigation by Catalyst RCM revealed that threat actors used compromised administrative credentials to access a secure file management server.

By the time the intrusion was detected on November 13, the attackers had already exfiltrated approximately 12GB of data.

The Everest Connection

The Everest ransomware group has publicly claimed responsibility for the attack. On their dark web leak site, they listed Vikor Scientific along with its affiliates, KorPath and KorGene, as victims.

Everest reportedly published the stolen data after extortion negotiations failed. The trove included over 25,000 PDF documents containing:

  • Full Names and Dates of Birth
  • Health Insurance Information
  • Diagnosis and Medical Treatment History
  • Payment Card Data (including access codes in some instances)

The "Vanta" Rebrand Context

Vikor Scientific recently rebranded as Vanta Diagnostics, a move intended to reflect its evolution into broader molecular testing. However, this breach highlights the "legacy data" problem. Much of the stolen information consisted of Explanation of Benefits (EOB) letters—documents that are often stored in plain-text PDF format by billing vendors for years after the initial service.

The Hacklido Takeaway

For the researchers at Hacklido, this is a textbook case of Credential Misuse over-powering Encryption.

  • The Perimeter Problem: The server was "secure," but the credentials were not. If your third-party billing partner isn't enforcing FIDO2-based MFA for their file management systems, your data is one phish away from a leak site.
  • The Third-Party Trap: You can't patch a vendor's bad hygiene.

Immediate Actions for Affected Users:

  1. Enroll in IDX: Catalyst RCM is offering 12–24 months of complimentary identity protection through IDX.
  2. Audit Medical Statements: Watch for "Ghost Billing" (charges for services you never received), which is common after PHI (Protected Health Information) leaks.
  3. Credit Freeze: With names, DOBs, and payment data in the wild, a credit freeze is the only reliable way to prevent identity theft.


Hacklido Quick-Tip: This wasn't the only "Vanta" in the news. Last year, the compliance firm Vanta suffered a code-level bug that leaked employee data between customers. Whether it's a diagnostic lab or a security firm, "Vanta" is a name that defenders should be auditing closely this week.