Two healthcare providers in Illinois and Texas have disclosed ransomware-driven data breaches affecting roughly 600,000 patients, according to an April 23, 2026 Security Boulevard report. The Insomnia ransomware group has claimed responsibility for stealing data on at least 150,000 individuals and posted sample proof on its leak site in February 2026 to validate the theft.
What Happened
Two separate healthcare organizations, operating on opposite sides of the country, were compromised in incidents tied to the rising Insomnia ransomware-as-a-service (RaaS) operation. The attackers exfiltrated patient data before encrypting systems, executing a textbook double-extortion playbook. Both providers activated incident response procedures, isolated affected networks, and engaged third-party forensics teams. Patient notifications and complimentary credit monitoring are now rolling out. No ransom payments have been confirmed, consistent with federal guidance against paying extortionists.
What Was Taken
Insomnia exfiltrated protected health information (PHI) on approximately 600,000 patients across both organizations, with the group publicly claiming theft of records belonging to at least 150,000 individuals. The stolen dataset includes:
- Patient names and home addresses
- Medical diagnoses and treatment histories
- Clinical and treatment notes
- Likely additional demographic and insurance identifiers
PHI of this depth fuels medical identity theft, insurance fraud, prescription abuse, targeted phishing, and blackmail. Unlike payment card data, medical records cannot be reissued, making the long-tail risk for victims effectively permanent.
Why It Matters
Healthcare remains the most targeted and least resilient sector in the ransomware economy. The Insomnia incidents demonstrate that a single rising affiliate crew can simultaneously compromise providers in different states, suggesting the operators are scanning broadly for opportunistic targets rather than running bespoke campaigns. For under-resourced clinics, regional hospitals, and specialty practices, the message is direct: if two providers a thousand miles apart can be breached by the same crew within months, the perimeter is already inside the threat model. Regulators, including HHS OCR, are likely to scrutinize both incidents under HIPAA, and class action exposure for the affected providers is near certain.
The Attack Technique
While neither provider has published full root cause findings, the attack pattern aligns with Insomnia's documented affiliate tradecraft and broader healthcare ransomware trends:
- Initial access via exposed remote desktop services (RDP) or phishing of clinical and administrative staff
- Likely exploitation of legacy or unpatched perimeter systems common in healthcare IT
- Lateral movement and privilege escalation inside flat clinical networks
- Data staging and exfiltration prior to encryption
- Post-encryption extortion reinforced by sample data leaks on Insomnia's public site
Insomnia's RaaS structure separates developers, who maintain the encryptor and leak infrastructure, from affiliates, who perform intrusions in exchange for a revenue share. Publishing sample data is a calculated psychological lever to force victims back to the negotiation table.
What Organizations Should Do
- Eliminate direct RDP and management plane exposure to the internet; require VPN plus phishing-resistant MFA for all remote access.
- Patch perimeter and remote access products on an emergency cadence and decommission end-of-life systems still operating in clinical environments.
- Segment clinical, administrative, and backup networks so a single compromised endpoint cannot reach EHR, imaging, and backup repositories.
- Maintain immutable, offline backups and rehearse restoration of EHR and imaging systems against ransomware-specific scenarios.
- Deploy EDR with 24/7 monitoring across clinical workstations and servers, and tune alerts for credential dumping, RMM tool abuse, and data staging.
- Pre-stage an incident response retainer, legal counsel, and HIPAA breach notification workflow so the clock-driven response is not built during a live event.