A ransomware attack targeting Compumedics USA Inc., a medical technology provider specializing in sleep diagnostics and neurological monitoring systems, has resulted in a significant data breach affecting more than 318,000 individuals across multiple healthcare organizations in the United States.
According to Compumedics, unauthorized access to its systems occurred between February 15 and March 23, 2025. The breach was discovered on March 22, triggering an immediate response that included securing systems, launching an internal investigation, engaging cybersecurity experts, and notifying federal law enforcement agencies.
The company confirmed that the cyberattack involved a ransomware component. After a comprehensive forensic analysis, Compumedics determined that sensitive data belonging to clients and patients had been accessed and, in some cases, exfiltrated by the threat actors.
Scope of the Data Compromise
The compromised information includes a wide range of personal and medical data, such as:
- Full names and dates of birth
- Demographic details
- Medical record numbers
- Diagnosis and treatment information
- Provider names and dates of service
- Sleep study data and results
- In some instances, Social Security numbers and health insurance details
The extent of exposure varied by individual, with some affected by partial disclosures and others experiencing more comprehensive breaches.
Impacted Healthcare Organizations
The breach impacted data from patients associated with several prominent healthcare providers that utilize Compumedics’ technology and services. These include:
- VCU Health System Authority
- Billings Clinic
- Bronson Healthcare Group
- Chest Medicine Associates
- Erlanger Health
- Stormont Vail Healthcare
- The Center for Sleep Medicine
- United Hospital Center
- UPMC Central PA
- WellSpan Health
Compumedics notified all affected organizations and has been collaborating closely with them to comply with regulatory requirements and facilitate patient notifications.
Company Response and Mitigation Efforts
Following the discovery of the breach, Compumedics took several steps to mitigate the incident and prevent further exposure. Systems were taken offline and reviewed before being securely restored. A third-party cybersecurity firm led the forensic investigation and Federal law enforcement was notified and involved in response efforts.
Additionally, Compumedics has enhanced its internal cybersecurity infrastructure and implemented new employee training protocols to reduce the risk of future incidents.
