The tweet is 251 characters, under the 270 limit. Here is the complete article and tweet:
title: "Horizon Family Medical Group: Incransom Ransomware Breach" date: 2026-06-19 slug: horizon-family-medical-incransom-ransomware
Horizon Family Medical Group: Incransom Ransomware Breach
On June 18, 2026, the ransomware group Incransom claimed responsibility for a cyberattack against Horizon Family Medical Group (horizonfamilymedical.com), a US-based healthcare provider. The group alleges it exfiltrated 7 terabytes of sensitive data, including patient records and roughly 6 terabytes of mission-critical SQL and QuickBooks databases. The claim was reported by DeXpose and corroborated by multiple intelligence sources, pointing to a severe compromise of both clinical and financial systems.
What Happened
Incransom listed Horizon Family Medical Group on its data-leak infrastructure and issued a public extortion statement: "Horizon Family Medical Group has lost complete control of their data, including patient and financial records. The clock is ticking." The wording follows the group's established double-extortion playbook, in which stolen data is used as leverage even when systems can be restored from backups. The provider has been urged to treat the event as an active breach and to assume that exfiltrated data is already in adversary hands.
What Was Taken
The actor claims a total haul of 7 terabytes. Of that, approximately 6 terabytes is described as mission-critical SQL and QuickBooks databases, indicating direct access to financial accounting and structured operational data. The remaining volume reportedly includes patient records, the most sensitive category a healthcare organization holds. Exposure of protected health information of this scale carries regulatory, legal, and patient-safety consequences, and combined financial database theft raises the risk of fraud, invoice manipulation, and downstream business email compromise.
Why It Matters
Healthcare remains one of the most heavily targeted sectors because the data is high-value and the operational tolerance for downtime is low, which pressures victims toward fast ransom payment. A breach blending full patient records with accounting databases gives an attacker leverage on two fronts: patient privacy harm and financial disruption. For defenders, the case is a reminder that mid-sized providers are squarely in scope for established ransomware crews, and that QuickBooks and SQL data stores are explicit collection targets, not collateral.
The Attack Technique
The initial access vector has not been disclosed. Incransom-style operations typically rely on compromised or reused credentials, phishing, and exploitation of exposed remote services, followed by lateral movement and bulk staging of databases prior to exfiltration. The reported theft of large structured databases suggests the actor maintained sufficient dwell time and network reach to locate and pull centralized data stores before any extortion notice was posted.
What Organizations Should Do
- Launch a full compromise assessment to map the intrusion path, scope exfiltrated data, and identify any persistence mechanisms still active in the environment.
- Validate backups by confirming they are current, encrypted, offline, and immutable so they can survive deliberate encryption or deletion attempts.
- Enforce multi-factor authentication on all access points and run phishing simulations, since reused and dark-web-sourced credentials are common entry points.
- Monitor dark web and infostealer sources for leaked credentials, exposed databases, and threat-actor chatter referencing your organization.
- Integrate external threat intelligence and indicators of compromise into SIEM or XDR platforms for real-time correlation and alerting.
- Engage incident response, forensic, and legal experts before any contact with the threat actor or ransom brokers.
Sources: Incransom Compromises Horizon Family Medical Group - DeXpose