Insightin Health recently notified the California Attorney General of a data breach occurring in September 2025 that stemmed from a vulnerability in the GoAnywhere file-transfer tool. Although the company confirmed that member names and insurance details were accessed, they have not addressed reports that the Medusa ransomware gang claimed responsibility for stealing 378 GB of data.

Insightin Health, a provider of data analytics for healthcare payers, officially reported a security breach to regulatory authorities on March 4, 2026. The company explained that an unauthorized party exploited a previously unknown design flaw in the GoAnywhere software to access their servers between September 17 and September 23, 2025. While the company identified the suspicious activity quickly and engaged third-party experts to secure the environment, it took until February 2026 for specific health plans to confirm which individuals had their personal information compromised.

The data involved in the incident includes sensitive health-related details such as member names, insurance information, healthcare provider names, and member identifiers. In some cases, more specific data like Medicare Beneficiary Identifiers and contract numbers were also exposed. Insightin Health has clarified that Social Security numbers and financial information were not part of the affected files, though the scope of the personal data remains significant for those impacted.

There is notable confusion regarding the specific technical cause of the breach and its relation to past vulnerabilities. The GoAnywhere platform was famously targeted by the Clop ransomware group using a zero-day exploit in 2023, leading to questions about whether this 2025 event involved a brand-new flaw or an unpatched version of the old one. Insightin Health has not responded to inquiries seeking to clarify if they were hit by a secondary vulnerability or a recurring issue with the third-party software.

Adding to the complexity of the situation is the apparent involvement of the Medusa ransomware group, which claimed credit for the attack on its leak site in late 2025. Medusa alleged that it exfiltrated 378 GB of data during the intrusion. However, Insightin Health’s public notifications and substitute notices make no mention of the ransomware group or any extortion demands, leaving a gap between the company's official narrative and the claims made by the threat actors.

As of now, the total number of affected individuals remains unknown because the incident has not yet been listed on the Department of Health and Human Services public breach portal. Furthermore, because the stolen data is no longer appearing on Medusa’s leak site, there is lingering uncertainty regarding whether a ransom was paid to delete the files or if the data remains in the hands of the attackers. The lack of transparency regarding the total impact and the specific nature of the exploit continues to raise concerns for the affected healthcare members.

Source: Insightin Health Discloses Second Data Security Incident In Two Years