Data Breach Notification,
Data Security,
Healthcare
Inotiv Updates SEC on Ongoing Evaluation of Cyberattack Impact
Inotiv, a contract research organization, has disclosed to federal regulators that it is actively assessing the extensive financial and operational consequences of a cyberattack attributed to the ransomware group Qilin, which occurred in August. The company is also in the process of notifying nearly 10,000 individuals whose data may have been compromised.
Inotiv’s filing with the U.S. Securities and Exchange Commission (SEC) on December 3 detailed that they managed to restore access to certain IT systems affected by this cyber incident first detected on August 8. Initial investigations indicated unauthorized access to and encryption of company data by the threat actor.
As of their latest financial report for the fiscal year ending September 30, Inotiv revealed that approximately $2.48 million in costs were incurred due to the cyber incident and related legal issues during the fourth quarter, bringing total costs for the fiscal year to about $5.93 million. However, the specific costs directly related to the breach have not been delineated.
The company acknowledged in its SEC filing that it has a legal obligation to notify affected individuals regarding the 2025 cybersecurity incident. While preliminary evaluations suggest an understanding of the incident’s scope, the complete operational and financial impact remains under review. This uncertainty has led to an inability to ascertain whether the incident will materially affect the company.
According to a breach report filed with the Maine Attorney General, the incident affected 9,542 individuals, with a forensic investigation suggesting that unauthorized access occurred between August 5 and August 8. The sample notification letters further revealed that the data compromised included names and other identifiers of both current and former employees, as well as family members and other individuals associated with Inotiv.
Inotiv has begun offering complimentary credit monitoring and identity theft protection services for 24 months to those affected by the breach and informed law enforcement authorities about the incident, asserting that the notification process was not hindered by any ongoing investigations.
As of now, Inotiv is facing at least three class action lawsuits that have been consolidated in an Indiana federal court. The litigation claims that the Qilin group is responsible for the attack and that it involved the theft of 176 gigabytes of sensitive data. The lawsuits assert that the cyberattack disrupted business operations and allege that the compromised data may have been disseminated on the dark web.
The lawsuits accuse Inotiv of failing to adequately secure the private information entrusted to them by plaintiffs and class members. Attorneys for the plaintiffs did not respond to requests for comment regarding the matter.
Based in Indiana, Inotiv reported $513 million in revenue for the fiscal year ending September 30 and specializes in drug discovery and development across various therapeutic areas, including oncology and infectious diseases.
