A newly emerged cybercriminal group calling itself Blackwater has claimed responsibility for an Easter weekend ransomware attack against Minidoka Memorial Hospital in Rupert, Idaho. The group says it exfiltrated 577 GB of data and has given the hospital a one-week deadline to pay an undisclosed ransom. The hospital has confirmed a cyber incident that disrupted medical imaging and forced the transfer of certain emergency patients, though it has not acknowledged Blackwater's specific claims.

What Happened

Minidoka Memorial Hospital experienced a cyber incident on Easter morning that temporarily impacted multiple systems across the organization. According to an April 17, 2026 Facebook statement from the hospital, the disruption degraded imaging services to the point where certain emergency patients had to be transferred to other facilities. The hospital projected full restoration of imaging services in its Emergency Department by midnight on April 19, 2026.

On the same day as the hospital's public statement, Blackwater listed Minidoka Memorial Hospital on its dark web data leak site and took credit for the intrusion. The group claims to have stolen 577 GB of hospital data and is demanding payment within seven days. The hospital has not publicly confirmed Blackwater's involvement, and independent verification of the claim has not been possible at this time.

What Was Taken

Blackwater asserts it exfiltrated 577 GB of data from Minidoka Memorial Hospital, but the specific contents of the stolen dataset have not been disclosed. Given that the victim is a regional healthcare provider, the compromised data likely includes some combination of protected health information (PHI), personally identifiable information (PII) of patients and staff, insurance records, billing data, and internal operational files. The hospital has not confirmed what records, if any, were accessed or taken, and it remains unknown whether Blackwater possesses the volume of data it claims.

Why It Matters

The attack marks the ninth confirmed ransomware incident against a US healthcare provider tracked by researchers in 2026, underscoring the sustained targeting of hospitals by financially motivated threat actors. Rural and community hospitals like Minidoka Memorial are particularly vulnerable because they often operate with leaner IT and security staffing than large health systems, yet they deliver critical services where downtime directly translates to patient transfers and delayed care. The emergency patient transfers caused by imaging outages in this incident illustrate the real-world clinical impact of ransomware on small healthcare facilities.

The incident also highlights the rapid operational tempo of Blackwater, a group that only surfaced in March 2026 and has already claimed three victims, including Medical Park Hospitals Group in Turkey on April 12, 2026 (a claim the Turkish hospital group denied).

The Attack Technique

The initial access vector used to breach Minidoka Memorial Hospital has not been publicly disclosed. Blackwater's tradecraft, based on its short history, involves double extortion: the group both encrypts victim systems to disrupt operations and exfiltrates data to extort payment under threat of public leak. The combination of system lockdown with data theft is consistent with the dominant ransomware business model observed across the healthcare sector in 2025 and 2026. Without forensic disclosure from the hospital, specific indicators of compromise, encryption behavior, and lateral movement patterns associated with this intrusion remain unknown.

What Organizations Should Do

1. Harden remote access and perimeter services. Enforce phishing-resistant MFA on VPNs, Citrix gateways, and remote management tools, and audit exposed services for unpatched vulnerabilities commonly abused for initial access.
2. Segment clinical and imaging systems. Isolate PACS, radiology workstations, and other imaging infrastructure from general IT networks so that a ransomware event cannot immediately degrade emergency care.
3. Validate and rehearse offline backups. Ensure backups for EHR, imaging, and business systems are immutable or air-gapped, and run tabletop and live restoration exercises against realistic ransomware scenarios.
4. Monitor for data staging and exfiltration. Deploy egress monitoring and data loss prevention controls to detect large outbound transfers, since Blackwater and similar actors rely on stolen data as leverage.
5. Pre-stage incident response and clinical downtime procedures. Maintain an IR retainer, legal counsel with breach experience, and clinical downtime protocols (paper charting, manual imaging workflows, transfer agreements) that can be activated within hours.
6. Share intelligence with healthcare ISACs. Report suspicious activity to Health-ISAC and CISA, and ingest indicators tied to emerging groups like Blackwater as soon as they are published.

Sources: Cybercriminals say they hacked Minidoka Memorial Hospital, demand ransom - Comparitech