Ransomware groups continue to target healthcare providers, vendors, and critical infrastructure, with breaches affecting tens of thousands of patients.
From Surmodics and Kentfield Hospital to Horizon Healthcare RCM, no link in the healthcare chain is off-limits.
Surmodics and Kentfield Hospital in the Cyberattack Crosshairs
Healthcare institutions continue to be prime targets for cybercriminals. This week, Surmodics, a Minnesota-based medical device manufacturer, and Kentfield Hospital in California have found themselves grappling with serious cybersecurity incidents.
Surmodics: Medical Device Manufacturer Disrupted by Suspected Ransomware Attack
On June 5, 2025, Surmodics detected a breach of its internal systems that disrupted critical operations and rendered parts of its IT infrastructure temporarily unavailable. Though the company hasn’t publicly confirmed the nature of the breach, its description aligns with hallmarks of a ransomware attack.
Surmodics, known for its production of catheters, diagnostic coatings, and in vitro testing components, quickly brought in third-party cybersecurity specialists to contain and investigate the breach.
Recovery efforts are ongoing, with major systems already restored and data undergoing validation. Despite the disruption, Surmodics has continued fulfilling orders by switching to backup processes.
At this stage, it’s unclear whether sensitive data was exfiltrated or misused.
The attackers have not publicly released any information, nor have there been signs of fraudulent activity linked to the breach.
Still, Surmodics acknowledges potential long-term consequences, including regulatory scrutiny, litigation, and loss of business.
Fortunately, the organization maintains cyber insurance, which it expects will cover a significant portion of the financial fallout, aside from deductibles and policy exclusions.
Kentfield Hospital: Target of Data Theft and Extortion by ‘World Leaks’ Group
Meanwhile, Kentfield Hospital in California has reportedly fallen victim to a cyberattack by the World Leaks group, a threat actor known for data exfiltration and extortion.
The group claims to have stolen 146.4 GB of data across more than 140,000 files, including sensitive patient records and medical images.
World Leaks, believed to be a rebrand or spinoff of the former Hunters International ransomware group, has been actively targeting healthcare systems since early 2025.
While neither Kentfield Hospital nor its parent company, Vibra Healthcare, has confirmed the breach at the time of writing, the group’s public claims and tactics raise serious concerns.
The alleged data theft highlights a recurring pattern: attackers now increasingly focus on extracting sensitive patient information to pressure organizations into paying ransoms.
Leaks of protected health information (PHI) can cause long-term harm to patients and result in HIPAA violations, lawsuits, and loss of public trust.
Seven Healthcare Providers Land on Ransomware Data Leak Sites
Ransomware gangs continue to escalate their attacks against healthcare providers, this time, adding seven U.S.-based organizations to their dark web leak portals.
These listings signal a dangerous trend: when ransom demands aren’t met, cybercriminals respond by publishing or threatening to publish stolen data, which often includes sensitive patient information.
Although the presence of an organization on a leak site doesn’t always confirm data theft or the accuracy of the attackers’ claims, it typically confirms that a cyberattack took place.
Here’s a breakdown of the most recent incidents:
Everest Ransomware Group: Four U.S. Providers Targeted
The Everest group has claimed responsibility for cyberattacks on four healthcare entities, leaking sensitive data when ransoms weren’t paid.
- Arlington Occupational Health and Wellness (Texas): Added on July 4, 2025, Everest posted samples of what they claim are stolen electronic medical records (EMRs), lab test results, patient histories, and billing files. The full dataset was allegedly published soon after.
- Avantic Medical Lab (New Jersey): Initially listed on June 10, the attackers gave Avantic one week to respond. After receiving no reply, Everest reportedly leaked the data on July 3. Files appear to contain test results and patient billing records.
- PDI Health (New York): A mobile imaging service provider based in Brooklyn, PDI was listed on May 14. According to Everest, over 373,000 records were exfiltrated and later leaked in June. These include diagnostic reports and patient histories.
- Balance Diagnostics (New York): A Cedarhurst-based imaging center was added to the leak site on May 6, and the attackers claim to have stolen over 31,000 records, including birth dates, Social Security numbers, and medical data. The full files were leaked on June 18.
Rhysida Ransomware Group: Florida Hand Center Threatened with Auction
Florida Hand Center, with locations in Punta Gorda, Port Charlotte, and Fort Myers, was added to the Rhysida group’s leak portal on July 8, 2025.
The listing includes samples of stolen documents such as patient IDs, insurance claim forms, and medical imaging. Rhysida has given the provider seven days to respond before auctioning the full dataset.
Payouts King: New Group Behind Two Confirmed Attacks
A new ransomware group calling itself Payouts King has emerged with two attacks targeting:
- Crenshaw Community Hospital (Alabama): Listed on June 27, the attackers claimed to have stolen 53 GB of data. All files have now been posted online.
- Gateway Community Services (Florida): A rehab clinic that has confirmed the breach, stating that 34,498 patients were affected. Attackers claim to have stolen 890 GB of data, including medical records, ID documents, and health insurance information.
While some details remain unconfirmed, the rapid listing of stolen healthcare data on ransomware leak sites paints a stark picture: ransomware groups are using patient data as leverage, turning care providers into high-stakes targets.
These incidents should prompt all healthcare organizations to re-evaluate their breach response plans, data access controls, and endpoint protection.
Horizon Healthcare RCM Discloses Ransomware Attack, Sensitive Data Exfiltrated
Crown Point-based Horizon Healthcare RCM, a revenue cycle management (RCM) firm that supports a wide network of hospitals and healthcare providers, has confirmed it suffered a ransomware attack during the final days of December 2024.
The intrusion was detected on December 27, 2024, and investigators later determined that threat actors had unauthorized access to Horizon’s network for at least two days, from December 25 to December 27. During this window, cybercriminals successfully extracted sensitive information.
What Data Was Compromised?
According to Horizon’s internal review, which was completed on May 20, 2025, the stolen data varies by individual. Most of the compromised files included identifiers such as patient or customer numbers, paired with general claims processing information.
However, for fewer than 500 individuals, the exposure was more severe, involving:
- Social Security numbers
- Dates of birth
- Driver’s license or passport details
- Non-address contact information
- Financial account or payment card information
Was a Ransom Paid?
While Horizon has not explicitly confirmed paying a ransom, their substitute breach notice suggests they did. The company reported that the attacker agreed to delete the stolen data, a claim that often aligns with ransomware negotiations involving payment.
As of now, no known ransomware group has claimed responsibility, further hinting at a behind-the-scenes resolution.
However, experts caution that even when ransoms are paid, data deletion cannot be independently verified. Copies may still exist, and impacted individuals should remain vigilant against identity theft or fraud, despite the absence of any confirmed misuse at this time.
RCM Firms: A Growing Bullseye
Revenue cycle management companies like Horizon are high-value targets. They process billing, claims, and payment data for multiple healthcare providers, giving attackers a one-stop shop for sensitive patient information.
This isn’t an isolated incident. Earlier in 2024, a breach at ALN Medical Management compromised the protected health data of 1.8 million people.
Horizon’s client list includes prominent organizations such as Ascension Health, Bon Secours Health System, Franciscan Alliance, and Ensemble Health Partners, some of which serve vast patient populations.
Though it remains unclear how many downstream clients or patients were affected in this latest incident, the potential scale of impact is significant. Horizon’s breach has not yet appeared on the HHS Office for Civil Rights (OCR) breach portal, leaving the total number of affected individuals unknown for now.
Key Takeaway
This incident serves as a stark reminder that RCM vendors must be held to the same security standards as the providers they serve.
Third-party access to patient data comes with real risk, and a breach at the vendor level can ripple across multiple healthcare systems. Now is the time for hospitals to audit their vendor cybersecurity practices and reinforce contracts with strict incident response protocols.
Cybercriminals are evolving, and so must our defenses. Whether you’re managing a hospital, clinic, or third-party vendor relationship, now is the time to assess your exposure and prepare for the next attack, before it finds you first.
Schedule a risk assessment with Infoguard Cybersecurity today and uncover hidden vulnerabilities before attackers do.
Best regards,
