Excelas, a national provider of medical record organization and analysis services, has disclosed a data breach affecting personal and protected health information. The Cl0p ransomware group claimed responsibility on January 23, 2026, after gaining unauthorized access to Excelas systems between November 27 and December 3, 2025. Notifications were filed with the attorneys general of Massachusetts and New Hampshire on May 12, 2026.

What Happened

An unauthorized actor accessed Excelas computer systems during a seven-day window between November 27 and December 3, 2025. During that period, the intruder may have accessed or acquired a limited number of files from the network. Excelas detected suspicious activity and launched what it described as a thorough and time-intensive review to determine the scope of the compromise and identify affected individuals. Roughly two months after the intrusion window closed, the Cl0p ransomware group posted a claim on its Tor-based leak site asserting it had exfiltrated data from Excelas. The public disclosure to state regulators followed in May 2026, nearly six months after the initial access.

What Was Taken

The exposed data set includes a comprehensive mix of personally identifiable information (PII) and protected health information (PHI). PII elements include names, dates of birth, Social Security numbers, and government-issued identification. The PHI component is especially expansive: diagnosis information, medical history, mental and physical treatment records, prescription information, treating or referring physician details, medical record images, health insurance policy numbers, medical record numbers, subscriber numbers, health insurance group or plan numbers, broader health insurance information, and payment information. Because Excelas aggregates records from multiple healthcare providers and litigation contexts, the affected data likely spans patients across numerous downstream organizations.

Why It Matters

Excelas sits in a particularly sensitive position within the healthcare ecosystem, organizing and analyzing medical records often used in legal, insurance, and clinical review workflows. A breach at this layer amplifies the impact beyond a single hospital or clinic, exposing curated dossiers that combine identity, financial, and clinical data in one place. For threat actors, that combination is uniquely valuable for insurance fraud, identity theft, extortion of individual patients, and targeted social engineering against clinicians. The Cl0p attribution is also significant: the group has historically executed mass-exploitation campaigns against managed file transfer platforms (MOVEit, GoAnywhere, Cleo), suggesting Excelas may be one of many downstream victims from a broader supply chain event.

The Attack Technique

Excelas has not publicly attributed the intrusion to a specific vulnerability or initial access vector. However, the narrow seven-day access window and the subsequent Cl0p leak-site claim are consistent with the group's established pattern of exploiting zero-day or n-day vulnerabilities in widely deployed file transfer and managed enterprise software, exfiltrating data quickly, and posting victims to its Tor leak site to pressure payment. Cl0p typically forgoes encryption in favor of pure data-theft extortion, which aligns with the public-facing details of this incident. Organizations using Cleo, MOVEit, GoAnywhere MFT, or similar platforms in late November 2025 should treat this event as a prompt to revisit their logs from that window.

What Organizations Should Do

Sources: Excelas Data Breach Exposes Personal and Health Information