Rhysida Ransomware Breach Leaks SSNs and Medical Records at Michigan Oncology Clinic

Context On or about September 20, 2025, attackers infiltrated the computer network of Hematology Oncology Consultants, a private practice that treats cancer and blood disorders. The intrusion went undetected for weeks, allowing the threat actors to exfiltrate data before the ransomware payload encrypted systems.

Key Facts - Claim of responsibility – On October 17, 2025, the Rhysida ransomware group posted a message on the Tor‑based dark web, stating they had stolen data from the practice. - Discovery – The clinic learned on February 12, 2026 that files containing personally identifiable information (PII) had been accessed by an unauthorized actor. - Data exposed – The breach released patient names together with medical records and Social Security numbers, creating a high‑risk exposure for identity theft and medical fraud. - Response timeline – After detection, the practice secured its environment, engaged cybersecurity specialists, and completed a forensic review on April 7, 2026. Notification letters were mailed on April 24, 2026, and the breach was reported to the Massachusetts Office of Consumer Affairs and Business Regulation on May 1, 2026. - Support – A dedicated call center (855‑954‑9214) operates weekdays, 8 a.m.–8 p.m. ET, to assist affected individuals.

What It Means The incident underscores the vulnerability of healthcare providers to ransomware that combines encryption with data theft. Exfiltrated SSNs and health information can be sold on underground markets, increasing the likelihood of identity theft, fraudulent insurance claims, and targeted phishing attacks against patients and staff.

Mitigations – What Defenders Should Do 1. Patch known vulnerabilities – Apply the latest security patches for all operating systems and medical device software. Monitor advisories such as CVE‑2025‑XXXX that affect common Windows and Linux components. 2. Segment networks – Isolate electronic health record (EHR) systems from general office networks to limit lateral movement. 3. Enable multi‑factor authentication (MFA) – Require MFA for all remote access, especially for privileged accounts. 4. Deploy endpoint detection and response (EDR) – Use solutions that can detect MITRE ATT&CK techniques like T1078 (Valid Accounts) and T1566 (Phishing) used by ransomware groups. 5. Back up securely – Maintain immutable, offline backups of critical data and test restoration procedures quarterly. 6. Conduct phishing simulations – Train staff to recognize social‑engineering attempts that often precede ransomware deployment. 7. Monitor dark‑web leaks – Subscribe to threat‑intel feeds that alert when stolen data appears on forums, enabling rapid response.

What to watch next – Keep an eye on any further claims from Rhysida, potential data sales on underground markets, and regulatory actions that may affect other healthcare providers.