AdvancedHEALTH, a U.S. healthcare provider, has been named on the DragonForce ransomware leak site, with the group claiming theft of 390GB of internal data including 2.3 million patient data lines. Breach notifications have begun rolling out and legal scrutiny is intensifying, according to reporting published May 20, 2026.
What Happened
DragonForce, a ransomware-as-a-service operation that has rapidly grown its victim count over the past year, added AdvancedHEALTH to its dark web extortion portal with claims of 390GB of exfiltrated data. The disclosure follows the standard double-extortion pattern: encryption of victim systems paired with public threats to leak stolen records if a ransom is not paid. AdvancedHEALTH has begun the regulatory breach notification process, an early indicator that the underlying intrusion and data theft have been internally confirmed.
What Was Taken
According to the threat actor's leak post, the stolen trove totals approximately 390GB and includes roughly 2.3 million lines of patient data. The dataset is reported to contain records of minors, dramatically raising the sensitivity profile of the breach. Patient data in healthcare environments typically includes names, dates of birth, Social Security numbers, insurance identifiers, diagnostic codes, treatment history, and billing details. Records pertaining to minors carry heightened legal protections under HIPAA and various state child privacy statutes, and remain valuable to fraud operators for years given the long runway before victims typically check their credit.
Why It Matters
Healthcare continues to be the highest-impact sector for ransomware crews because data sensitivity, regulatory exposure, and operational urgency converge to pressure payment. DragonForce has emerged as one of the more aggressive successors to LockBit and ALPHV, recruiting affiliates displaced by law enforcement takedowns and adopting both an in-house locker and a customized variant derived from leaked LockBit Black source code. The inclusion of pediatric records will almost certainly accelerate class action litigation, state attorney general inquiries, and HHS Office for Civil Rights involvement, compounding the financial damage well beyond any ransom demand.
The Attack Technique
Initial access vectors used by DragonForce affiliates in recent campaigns have included exploitation of unpatched edge appliances (SimpleHelp, Ivanti Connect Secure, and Fortinet SSL VPN flaws), abuse of valid credentials sourced from infostealer logs, and phishing campaigns delivering loaders such as SocGholish. Post-compromise tradecraft commonly observed includes deployment of AnyDesk and ScreenConnect for persistence, Mimikatz and Rubeus for credential harvesting, and Rclone or MEGAcmd for staged data exfiltration prior to encryption. Specifics on the AdvancedHEALTH intrusion chain have not been publicly disclosed.
What Organizations Should Do
- Audit external attack surface for unpatched VPN, RMM, and file transfer appliances, prioritizing CVEs publicly tied to DragonForce affiliate activity.
- Hunt for unauthorized installations of AnyDesk, ScreenConnect, Atera, and Splashtop, and enforce application allow-listing on RMM tooling.
- Monitor for large outbound transfers to cloud storage endpoints (mega.nz, rclone user agents, anonymous file-sharing services) using egress DLP and netflow analytics.
- Require phishing-resistant MFA for all remote access, administrative, and email accounts; rotate credentials surfaced in recent infostealer dumps.
- Validate that backups are immutable, segmented, and routinely restored under tabletop conditions; healthcare entities should map dependencies on imaging, EHR, and billing systems.
- Pre-engage incident response counsel and forensic retainers, and review HIPAA breach notification workflows now while not under active duress.
Sources: AdvancedHEALTH Ransomware Claim Includes 2.3M Patient Data Lines | Cryptify Now