The city of Middletown, Ohio has confirmed a data breach affecting 123,791 residents, exposing Social Security numbers, financial account details, and medical information. The intrusion, traced to July 2025, is tied to the SafePay ransomware gang, which claimed the attack on its data leak site and continues to list the city as a victim.
What Happened
Middletown officials say they first learned certain systems in the city network environment were affected by a data security incident on August 17, 2025. According to the city's notice to victims, a forensic investigation and extensive manual document review concluded on May 18, 2026, that files were removed from the network by an unauthorized third party between July 29, 2025 and August 17, 2025.
The attack disrupted municipal operations well beyond data theft. City services, including water utility billing, went offline and were not fully restored until January 2026, roughly six months after the initial compromise. On September 12, 2025, the SafePay ransomware group publicly took credit for the breach and added Middletown to its leak site.
The city has not publicly acknowledged SafePay's claim. It remains unknown how the attackers first breached the network, whether a ransom was demanded or paid, and how much was sought.
What Was Taken
The notification confirms that a broad set of highly sensitive personal data was compromised for the 123,791 affected individuals:
- Names
- Social Security numbers
- Financial account information
- Medical information
- Health insurance information
- Addresses
- Government-issued IDs, such as driver's licenses
This combination is close to a worst-case package for identity fraud. SSNs paired with financial account data and government ID numbers give criminals nearly everything needed for synthetic identity creation, new-account fraud, and tax fraud. The inclusion of medical and health insurance records adds exposure to medical identity theft, which is harder for victims to detect and often takes longer to remediate.
Why It Matters
Municipal governments hold deep reservoirs of citizen data yet frequently operate with constrained security budgets and legacy infrastructure, making them attractive, high-yield targets. The Middletown case shows the compounding damage: not just a mass data leak, but a months-long disruption of essential services like water billing.
The timeline is also instructive. The gap between the August 2025 discovery and the May 2026 completion of document review shows how long it can take to fully scope a breach, and how delayed victim notification often follows. Comparitech researchers logged 88 confirmed ransomware attacks on US government entities in 2025, and Middletown reflects that broader pattern of public-sector targeting.
The Attack Technique
The precise initial access vector has not been disclosed. What is known centers on the threat actor. SafePay is a ransomware gang that began publicly listing targeted organizations on its leak site in November 2024. The group operates LockBit-based ransomware and runs a double-extortion scheme, demanding payment both to restore encrypted systems and to delete stolen data.
SafePay has claimed responsibility for 505 ransomware attacks in total, of which 76 have been publicly confirmed by the targeted organizations. Thirteen of those confirmed attacks hit government agencies and public utilities, including Liberty Township, OH and the Payne County Sheriff's Office, OK in May 2025, and multiple German municipalities and public utility companies through early 2026. The group's heavy focus on local governments and utilities makes it a persistent threat to the public sector.
What Organizations Should Do
- Segment networks aggressively, isolating utility billing and operational systems from general IT so that a single intrusion cannot cascade into service outages that take months to reverse.
- Maintain offline, immutable backups and rehearse restoration regularly. SafePay's double-extortion model means encryption is only half the threat, so recovery capability must be tested, not assumed.
- Enforce phishing-resistant multi-factor authentication on all remote access, VPNs, and administrative accounts to close the initial-access paths ransomware crews rely on.
- Deploy endpoint detection and response with monitoring tuned for LockBit-derived tooling and for large outbound data transfers that signal exfiltration before encryption.
- Build and test an incident response and breach notification plan in advance so scoping and victim notice do not stretch into many months.
- Encrypt sensitive resident data at rest and minimize retention, reducing the value of any files an intruder manages to remove from the network.