Excelas Data Breach Exposes PII and PHI, Cl0p Claims Responsibility

TL;DR Excelas confirmed a November‑December 2025 intrusion that exposed PII and PHI, with Cl0p claiming theft in January 2026 and the firm now offering two years of free identity monitoring.

Context Excelas provides medical record organization and analysis for healthcare providers nationwide. Unauthorized actors accessed its systems from November 27 to December 3, 2025, potentially viewing or copying files containing sensitive data. After detecting suspicious activity, Excelas launched an internal investigation to determine the scope of the breach.

Key Facts On January 23, 2026, the Cl0p ransomware group posted on Tor claiming it had stolen data from Excelas. The exposed information includes names, dates of birth, Social Security numbers, government IDs, diagnoses, medical histories, treatment records, prescriptions, physician details, medical images, insurance policy and group numbers, and payment information. Excelas disclosed the breach to the attorneys general of Massachusetts and New Hampshire on May 12, 2026, posted a notice on its website, and began notifying affected individuals around the same date. The company is providing 24 months of complimentary identity monitoring through Kroll, which includes single‑bureau credit monitoring, unlimited fraud consultation, and identity theft restoration services. A dedicated toll‑free line (844‑576‑3143) and mailing address are available for questions.

What It Means The combination of PII and PHI increases the risk of identity theft, medical fraud, and targeted phishing. Regulatory scrutiny may rise given the multi‑state disclosure and the sensitivity of health data. Affected individuals should monitor accounts for unauthorized activity and consider enrolling in the offered monitoring services.

Mitigations Organizations should enforce network segmentation to limit lateral movement, deploy multi‑factor authentication on all remote access points, and monitor for anomalous file access using SIEM rules aligned with MITRE ATT&CK T1078 (Valid Accounts) and T1041 (Exfiltration Over C2 Channel). Patching known vulnerabilities referenced in CISA KEV catalog and applying the principle of least privilege for privileged accounts reduce exposure. Regularly reviewing access logs for unusual Tor‑related connections can help detect early signs of ransomware‑linked exfiltration.

Watch for potential follow‑on extortion attempts, dark‑web listings of the stolen data, and any regulatory actions stemming from the breach.