Inotiv Breach: Ransomware Attack Exposes SSNs After 20-Month Delay

Ransomware Hit Inotiv in December 2023 -- Affected Individuals Were Not Told Until August 2025

Inotiv, Inc., a West Lafayette, Indiana-based life sciences and contract research organization, disclosed a data breach to the California Attorney General affecting 9,542 individuals. The breach, caused by a ransomware attack, exposed an unusually broad set of personal data: names, addresses, dates of birth, Social Security numbers, driver's license numbers, credit card numbers, and medical information.

The most striking element of this breach is not the data types or the record count. It is the timeline. Inotiv discovered the breach on December 2, 2023. The company did not notify affected individuals until August 5, 2025 -- a delay of approximately 611 days, or just over 20 months. That gap between discovery and disclosure is extraordinary by any measure and raises serious questions about compliance with state breach notification laws that require action in the "most expedient time possible."

The notification letter filed with the California AG references a "December 2nd letter," indicating this August 2025 mailing is an update to an earlier notification. It extends credit monitoring through Experian IdentityWorks for 24 months, with an enrollment deadline of March 31, 2026, and a support line at (833) 918-5956. The existence of an update letter means Inotiv has been managing this breach response over an extended period -- but the initial notification itself came roughly two years after discovery.

Timeline of Events

• December 2, 2023 -- Inotiv discovers the ransomware attack on its systems.
• Late 2023 to 2025 -- Investigation and forensic review. The exact dates when Inotiv determined which individuals were affected and what data was compromised are not specified in the notification.
• December 2, 2025 (approximate) -- First notification letter sent to affected individuals (referenced as "December 2nd letter" in the update filing).
• August 5, 2025 -- Update notification filed with the California Attorney General, extending credit monitoring to 24 months via Experian IdentityWorks.

The timeline presents an apparent contradiction: the California AG filing is dated August 5, 2025, but the notification references a "December 2nd letter" that appears to postdate the filing. This likely reflects either a phased notification process -- where the California AG filing accompanied an initial disclosure in mid-2025, followed by a more detailed notification in December -- or a clerical inconsistency in the filing dates. Regardless of the exact sequencing, the core issue remains: nearly two years elapsed between breach discovery and consumer notification.

For context, the Corban OneSource breach drew scrutiny for a 148-day notification delay. At 611+ days, Inotiv's timeline is more than four times longer. The 1st MidAmerica Credit Union breach, where the Marquis Software Solutions compromise took 161 days to reach affected members, was considered slow. Inotiv's delay is in a different category entirely.

What Data Was Exposed

The breach compromised seven categories of personal information:

• Names (first and last)
• Addresses (mailing/residential)
• Dates of birth
• Social Security numbers
• Driver's license numbers
• Credit card numbers
• Medical information

This is one of the broadest data exposure profiles we have tracked. Most breaches expose two or three PII categories -- typically names combined with SSNs or financial account numbers. Inotiv's breach includes both financial identifiers (SSNs, credit cards) and non-financial identifiers (driver's licenses, medical records, DOBs) that together enable nearly every category of identity fraud.

SSN plus DOB is the standard package for opening fraudulent credit accounts and filing false tax returns. Driver's license numbers add the ability to create fake physical identification documents. Credit card numbers enable immediate financial fraud. Medical information opens a separate and often overlooked vector: medical identity fraud, where stolen health records are used to obtain medical services, submit false insurance claims, or acquire prescription medications under someone else's identity.

The combination of all seven data types in a single breach means affected individuals face compounded risk across financial, government, and healthcare systems simultaneously. Monitoring a single credit bureau is insufficient when the attacker has enough data to operate across all three fraud domains.

How the Attack Happened

The attack vector was ransomware. Inotiv's notification does not specify the ransomware variant, the initial access method, or whether data was exfiltrated before encryption. In most modern ransomware operations, attackers exfiltrate sensitive data before deploying the encryption payload -- creating leverage for double extortion, where the threat of publishing stolen data accompanies the ransom demand.

Life sciences and contract research organizations are high-value ransomware targets. They hold sensitive clinical trial data, employee records, and -- as this breach demonstrates -- personal information for research participants, staff, and contractors. The combination of valuable data, regulatory pressure to maintain operations, and time-sensitive research timelines makes these organizations more likely to pay ransoms or accept extended recovery periods.

The pattern mirrors what we see across the vendor and healthcare-adjacent space. The Parexel International breach, involving another life sciences vendor, exposed SSNs and credit card data through a vulnerability exploit. The Cerenade breach showed how a single vendor platform compromise cascades across every client organization in the system. Ransomware groups have systematically targeted organizations that aggregate sensitive data from multiple sources -- precisely because the blast radius of a single intrusion is multiplied across the vendor's entire client base.

According to the FBI Internet Crime Complaint Center (IC3), ransomware complaints from healthcare and critical infrastructure sectors have increased year over year, with the healthcare sector consistently ranking among the top three most-targeted industries. The Verizon 2024 Data Breach Investigations Report found that ransomware was involved in 24% of all breaches -- and that figure climbs higher in sectors with sensitive personal data.

Who Is Affected

The 9,542 affected individuals, based on the California AG filing, include people whose information was stored in systems compromised during the ransomware attack. Inotiv operates as a contract research organization (CRO) providing drug discovery, development services, and laboratory animal research for pharmaceutical and biotech clients.

The affected population likely includes Inotiv employees, contractors, and potentially research study participants whose personal information was maintained in the company's systems. The inclusion of medical information in the exposed data types suggests that at least some affected individuals had health-related records on file -- whether through employment health screenings, workers' compensation records, or clinical research participation.

The California AG filing covers individuals who are California residents, but the total breach population across all states is likely larger. Companies that file with the California AG are often simultaneously notifying attorneys general in other states where affected individuals reside.

Regulatory Implications

California's breach notification statute (Cal. Civ. Code § 1798.82) requires organizations to disclose a breach "in the most expedient time possible and without unreasonable delay." The law permits delay only when a law enforcement agency determines that notification would impede a criminal investigation -- and even then, notification must proceed once the investigation is no longer compromised.

A 20-month delay tests the outer limits of what any state regulator would consider reasonable. Even accounting for a complex forensic investigation, the time from breach discovery to notification is far longer than industry norms. The average notification timeline tracked across filings in FinSecLedger's breach tracker falls between 60 and 180 days. Inotiv's timeline is more than three times the high end of that range.

The California Attorney General's office has enforcement authority under the state's breach notification law and has historically pursued actions against companies that unreasonably delay disclosure. If the office determines that Inotiv's delay lacked justification -- no law enforcement hold, no extraordinary investigative complexity -- the company could face enforcement proceedings.

At the federal level, the FTC has authority under Section 5 to pursue companies whose data security practices are unfair or deceptive. A ransomware attack that exposes seven categories of PII, followed by a two-year notification delay, raises both prongs: was the security posture adequate, and were consumers misled by the extended silence?

For financial institutions and regulated entities that share data with contract research organizations -- through employee wellness programs, benefits administration, or clinical research partnerships -- the Inotiv breach is a reminder that vendor risk extends beyond traditional technology and financial services providers. Any vendor that holds SSNs, financial data, or medical records is a breach liability, regardless of its primary industry.

The Bigger Picture: Vendor Risk Across Sectors

Inotiv is not a financial services company. It is a life sciences vendor. But the breach matters to the financial sector for the same reason every vendor breach matters: the data exposure profile -- SSNs, credit card numbers, DOBs -- feeds directly into financial fraud. The individuals whose SSNs were compromised in this breach are the same individuals who hold bank accounts, mortgages, and investment portfolios at financial institutions. Their exposed data will circulate in the same dark web marketplaces, be purchased by the same fraud rings, and be used to target the same financial products.

The Marquis Software Solutions breach exposed 824,000 records through a marketing vendor. The Corban OneSource breach exposed SSNs through a payroll vendor. Now Inotiv adds a contract research organization to the list of vendor categories that can generate downstream financial fraud risk. The common pattern: organizations that aggregate personal data for operational purposes become single points of failure when their security is compromised.

According to FinSecLedger's breach tracker, vendor and third-party compromises continue to represent a disproportionate share of records exposed in breaches affecting financial sector consumers. The operational question for banks, credit unions, and insurance companies is not whether their own perimeter is secure -- it is whether every organization that touches their customers' SSNs maintains equivalent security standards.

The notification delay adds another dimension. When breaches take 20 months to disclose, affected individuals lose nearly two years of potential fraud detection and prevention. Credit freezes, fraud alerts, and monitoring services only work when consumers know they need them. A two-year gap between breach and notification is a two-year head start for fraud operators.

Action Items

1. If you received an Inotiv notification letter, enroll in Experian IdentityWorks immediately. The 24-month credit monitoring is free and the enrollment deadline is March 31, 2026. Call (833) 918-5956 with questions. Given the breadth of exposed data, single-bureau monitoring is a starting point -- not a complete defense.

2. Place a credit freeze at all three bureaus. With SSNs, DOBs, and driver's license numbers exposed, fraudulent credit applications are a primary risk. A credit freeze at Equifax, Experian, and TransUnion prevents new accounts from being opened in your name. This is free under federal law and takes minutes at each bureau's website.

3. Monitor health insurance explanation of benefits (EOB) statements. Medical information was exposed in this breach. Watch for EOBs showing services you did not receive -- a sign of medical identity fraud. Report discrepancies to your insurer and request a copy of your medical records to check for unauthorized entries.

4. File an IRS Identity Protection PIN request. With SSNs and DOBs compromised, tax refund fraud is a real risk. The IRS Identity Protection PIN program assigns a six-digit number that must be included on your tax return, preventing fraudulent filings under your SSN.

5. For institutions: audit vendor relationships that involve PII beyond your core industry. The Inotiv breach shows that data exposure risk is not limited to financial services vendors. Any vendor that holds employee SSNs, medical records, or financial data -- including benefits administrators, research partners, and HR service providers -- should be included in your third-party risk management program under OCC Bulletin 2023-17 or equivalent supervisory guidance.