{
	"id": "d55abea3-f3e9-4acf-8b9e-9e1930fd3ef2",
	"created_at": "2026-04-11T02:24:00.143323Z",
	"updated_at": "2026-04-11T02:24:15.533231Z",
	"deleted_at": null,
	"sha1_hash": "f9bb598311561e4f374889ecdf14684d986c925f",
	"title": "Exclusive: Apex Custom Software hacked, threat actors threaten to leak the software (1) - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40382,
	"plain_text": "Exclusive: Apex Custom Software hacked, threat actors threaten to\r\nleak the software (1) - DataBreaches.Net\r\nPublished: 2025-01-30 · Archived: 2026-04-11 02:13:35 UTC\r\nOn January 20, the hackers known as 0mid16B tweeted, “At 7:40AM 20th Jan (US time), a US healthcare\r\nsoftware provider has been hacked. All data in server has been deleted. 48 hours left before we publish all data.”\r\nThe attached screenshot showed a listing of medications, but without any patient information attached. Two days\r\nlater, they tweeted information about Cardinal Health, but again, it did not appear linked to any protected health\r\ninformation (PHI).  They also published some Cardinal Health employee login information that included names,\r\nemail addresses, and passwords in plaintext.\r\nCardinal Health isn’t a software provider. And as the hackers revealed in a January 26 tweet,  it was Apex Custom\r\nSoftware (“Apex”)  in Texas that they had hacked. Cardinal was only one of its clients who were allegedly\r\naffected.\r\nApex specializes in software for the healthcare sector. Its products focus on controlled substance tracking,\r\ncredentialing management, inventory management, telemedicine, and healthcare analytics.\r\nOn January 26, 0mid16B reached out to DataBreaches.net and provided additional information about the attack,\r\naccompanied by what they described as the entire databases of Apex’s software.\r\nWhat Happened?\r\nIn response to specific questions posed by DataBreaches, the spokeserson for 0mid16B stated that they first\r\naccessed Apex between January 16 – January 20. They declined to reveal how they gained access, but claim that\r\nApex never detected their presence or the exfiltration. As of January 29, they claimed they still had access.\r\n0mid16B states they first contacted Apex on January 20. “They responded, but the owner said he has no money\r\nand only offered 1000 USD,” 0mid16B told DataBreaches.\r\nAlthough they tweeted about Cardinal Health, 0mid16B stated that they did not contact Cardinal Health or any\r\nother client directly. They were “Pissed at APEX offer and decided to publish all.” The spokesperson later added,\r\n“In fact, i told him that we know he owns 1 million USD bungalow and a 400,000 USD apartment when he told us\r\nhe is poor and can only pay 1000 USD.” DataBreaches does not know if that is true, but has seen this type of thing\r\na number of times where threat actors have researched their victims carefully and know when victims are lying\r\nabout their revenue or assets.  Maybe the owner expected 0mid16B to respond with another, and lower, demand\r\nthan their original demand. If so, he miscalculated.\r\nDataBreaches asked 0mid16B what they had meant in earlier correspondence about the importance of auditing\r\nsoftware for security before contracting with a software provider. DataBreaches asked, “You said auditing\r\nsoftware companies is important. What would an audit of Apex have shown Cardinal?”  0mid16B responded,\r\n“Their security is none. It is standard operating procedure to audit coding before going LIVE. An audit of APEX\r\nhttps://databreaches.net/2025/01/30/exclusive-apex-custom-software-hacked-threat-actors-threaten-to-leak-the-software/\r\nPage 1 of 2\n\nsoftware would tell the world, never to engage their services. APEX designed loopholed softwares and used\r\nunsecured backend for storing data and they are focused on healthcare software?”\r\nIf 0mid16B does wind up leaking all the software, others will be able to conduct an audit to confirm or refute their\r\nclaims about APEX’s lack of security.\r\nRisk to Patients?\r\nOne of DataBreaches’ other questions concerned how much protected health information (PHI) there was in the\r\ndata, as looking through the software data provided to this site, DataBreaches did not see a lot of PHI.  But there\r\nare also other risks possibly involved, apart from the firm having its propietary information leaked publicly.\r\nDataBreaches asked 0mid16B about what a malicious threat actor could do with access.\r\n“Theoretically, we can make a change to scheduled dispensing, say Drug A and change it to Drug B and the drug\r\nwill be dispensed wrongly to the end user,” they answered. “Of course, we wouldn’t be doing this but that is\r\nalready dangerous, even without PHI.” DataBreaches notes that healthcare professionals routinely verify that they\r\nare administering the correct medication and dosage to patients, but if someone tampered with inventory so that\r\nhospitals or pharmacies ran out of medications they needed for patient care, that could impact patient care. But to\r\nbe clear: there is no indication that 0mid16B has any intention of doing anything malicious. They are a financially\r\nmotivated group who has been increasingly turning to the U.S. healthcare sector because, as 0mid16B told\r\nDataBreaches in an earlier communication,  unlike India and Canada, U.S. healthcare victims pay.\r\nHow Has Apex Responded?\r\nDataBreaches reached out to to Apex via email on January 27 and again on January 29. The second email\r\ninformed Apex of some of 0mid16B’s claims and asked what they were doing in response. No reply has been\r\nreceived.\r\nDataBreaches also reached out to Cardinal Health via email yesterday to ask whether Apex had notified them of\r\nthem the incident. They, too, did not reply, and DataBreaches does not know if they are even aware that some\r\nemployee login credentials have been leaked publicly in plain text.\r\nToday, HHS’s update included an entry for Apex Custom Software that was submitted to them on January 22. The\r\nreport, submitted as a business associate, indicated that 1,500 patients had been affected. It is not clear if that\r\nnumber is on behalf of all of its clients or just one or a few. There is no notice on Apex’s website about any\r\nincident.\r\nAs of publication, 0mid16B does not appear to have leaked the software on the forum where they usually leak\r\ndata.\r\nUpdate of February 1. 0mid16B leaked the Apex Controlled Substance software and also leaked what appears to\r\nbe some employee information from Cardinal Health that includes passwords in plain text.\r\nSource: https://databreaches.net/2025/01/30/exclusive-apex-custom-software-hacked-threat-actors-threaten-to-leak-the-software/\r\nhttps://databreaches.net/2025/01/30/exclusive-apex-custom-software-hacked-threat-actors-threaten-to-leak-the-software/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://databreaches.net/2025/01/30/exclusive-apex-custom-software-hacked-threat-actors-threaten-to-leak-the-software/"
	],
	"report_names": [
		"exclusive-apex-custom-software-hacked-threat-actors-threaten-to-leak-the-software"
	],
	"threat_actors": [],
	"ts_created_at": 1775874240,
	"ts_updated_at": 1775874255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9bb598311561e4f374889ecdf14684d986c925f.pdf",
		"text": "https://archive.orkl.eu/f9bb598311561e4f374889ecdf14684d986c925f.txt",
		"img": "https://archive.orkl.eu/f9bb598311561e4f374889ecdf14684d986c925f.jpg"
	}
}