Clarinda Regional Health Center: LockBit5 Ransomware Breach

"Clarinda Regional Health Center, a non-profit hospital based in Clarinda, Iowa, has begun notifying 24,341 individuals that their personal and medical data was compromised in a LockBit5 ransomware attack. The disclosure…"

Clarinda Regional Health Center, a non-profit hospital based in Clarinda, Iowa, has begun notifying 24,341 individuals that their personal and medical data was compromised in a LockBit5 ransomware attack. The disclosure is part of a wave of four healthcare sector breaches publicly surfaced this week, collectively impacting tens of thousands of patients across the United States.

What Happened

Clarinda Regional Health Center identified suspicious activity on its computer network on December 15, 2026, triggering an immediate forensic investigation. Analysts subsequently determined that unauthorized actors had accessed or exfiltrated files containing patient data months earlier, in October 2025. The LockBit5 ransomware group has publicly claimed responsibility for the intrusion. The file review concluded on May 21, 2026, and notification letters began going out to affected individuals on June 2, 2026. Clarinda is one of four healthcare organizations to disclose major breaches in this reporting window, alongside Community Connections in Washington D.C. (18,943 individuals, attributed to Inc Ransom), Waveny Lifecare Network in Connecticut, and NJ Pain Care Specialists in New Jersey.

What Was Taken

The data exposed in the Clarinda incident is unusually comprehensive, combining identity, financial, and clinical records in a single dataset. Confirmed compromised data elements include:

First and last names
Dates of birth
Medical information
Health insurance information
Financial account numbers
Social Security numbers
Driver's license numbers
Taxpayer identification numbers

The specific combination varied per individual, but the inclusion of SSNs, driver's license numbers, and financial account data positions affected patients at elevated risk of identity theft and synthetic identity fraud. Clarinda is offering complimentary credit monitoring and identity theft protection to individuals whose SSNs were involved.

Why It Matters

Healthcare remains the highest-value vertical for ransomware operators because the data is rich, the operational tolerance for downtime is near zero, and regulatory pressure incentivizes settlement. The Clarinda incident underscores three recurring themes: small and rural healthcare providers are now squarely in the crosshairs of top-tier ransomware affiliates; dwell times of six to nine months between intrusion and detection remain common; and concurrent disclosures by Inc Ransom and LockBit5 against four U.S. healthcare entities suggest sustained, coordinated targeting of the sector. For defenders, this signals that LockBit's rebranded LockBit5 operation is operationally active despite prior law enforcement disruption.

The Attack Technique

While Clarinda has not publicly disclosed the initial access vector, LockBit5 affiliates have historically relied on a consistent playbook: exploitation of internet-facing edge devices (VPN appliances, firewalls, and remote access gateways), valid credentials purchased from initial access brokers, and phishing for MFA-fatigue or session token theft. The roughly two-month gap between the October 2025 exfiltration window and December 2026 detection is consistent with LockBit's "live-off-the-land" tradecraft, leveraging native administrative tooling such as PowerShell, PsExec, and legitimate remote management software to avoid endpoint detection. Data staging and exfiltration to attacker-controlled infrastructure typically precede encryption by days or weeks.

What Organizations Should Do

Healthcare CISOs and security teams should treat the LockBit5 resurgence as a priority threat and re-validate the following controls:

Audit and harden external attack surface. Inventory all internet-facing appliances, ensure VPN and edge devices are patched against known LockBit-favored CVEs, and disable unused remote access portals.
Enforce phishing-resistant MFA. Move away from SMS and push-based MFA toward FIDO2/WebAuthn for all privileged and clinical access accounts.
Deploy and tune EDR for behavioral detection. LockBit5 affiliates rely on living-off-the-land binaries; tune detections for anomalous PsExec, PowerShell, and RMM tool execution.
Segment clinical and administrative networks. Limit east-west movement between EHR systems, billing infrastructure, and corporate IT to contain ransomware blast radius.
Validate offline, immutable backups. Test restoration workflows quarterly; assume online backups will be targeted for deletion or encryption.
Exercise incident response and breach notification playbooks. With dwell times averaging six months, tabletop exercises should explicitly include scenarios involving delayed forensic discovery and HHS OCR notification timelines.

Sources: Clarinda Regional Health Center Reports Data Breach Affecting 24K Patients · Utopia Tech