Mt. Spokane Pediatrics: LockBit 5.0 Ransomware Attack

Mt. Spokane Pediatrics, a pediatric clinic based in Spokane, Washington, has notified 32,021 patients that their personal and medical information was exfiltrated during a January 2026 ransomware attack claimed by LockBit 5.0. The clinic filed formal notification with the Washington Attorney General on April 30, 2026, following a four-month forensic investigation that concluded on April 22. The LockBit 5.0 group publicly claimed responsibility on its Tor leak site just 48 hours after the intrusion, threatening to publish stolen data within 20 days.

What Happened

On or around January 1, 2026, an unauthorized actor accessed Mt. Spokane Pediatrics' network environment and exfiltrated files containing sensitive patient data. According to the clinic's official notice and reporting by KHQ Local News, staff contained the threat immediately upon discovery and engaged outside cybersecurity professionals to conduct a forensic investigation.

Two days later, on January 3, 2026, the LockBit 5.0 ransomware operation listed the clinic on its Tor-based leak site, claiming to have stolen the clinic's data and threatening publication within 20 days. This created a two-track situation: the threat actor publicly asserted data theft while the clinic's own forensic review remained in its earliest stages.

The investigation concluded on April 22, 2026, confirming the scope of compromised data. The clinic mailed notification letters to all 32,021 affected individuals and reported the incident to the Washington Attorney General on April 30, 2026.

What Was Taken

Forensic analysis confirmed that exfiltrated files contained an extensive set of identifiers and protected health information for the affected pediatric patient population:

• Full names
• Dates of birth
• Social Security numbers
• Health insurance information
• Health plan beneficiary numbers
• Medical record numbers and patient numbers
• Medical treatment and diagnostic information
• Dates of service

Because the victim population is pediatric, the exposure carries elevated long-term risk. Minors' Social Security numbers are particularly attractive for synthetic identity fraud, which can persist undetected for years until the victim reaches adulthood and attempts to open credit accounts.

Why It Matters

This incident underscores the continued targeting of small and mid-sized healthcare providers by mature ransomware-as-a-service operations. According to Comparitech's Q1 2026 healthcare ransomware roundup, LockBit confirmed attacks against four healthcare providers in Q1 2026, including Mt. Spokane Pediatrics, placing it among the most active confirmed groups against the sector during the quarter.

Several elements warrant attention:

1. Speed of public extortion. The 48-hour gap between intrusion and public leak-site listing demonstrates that defenders cannot rely on a quiet window to investigate before reputational pressure begins.
2. Investigation-to-notification lag. The four-month gap between attack and confirmed data scope reflects the operational reality of reviewing large volumes of exfiltrated files, particularly when records contain mixed PHI and PII.
3. Pediatric data sensitivity. The breach exposes minors whose identity-fraud exposure window is effectively their entire adult lives.
4. LockBit 5.0 persistence. Despite prior international law enforcement disruption of LockBit infrastructure, the brand continues to operate under a new version, signaling resilience of the affiliate ecosystem.

The Attack Technique

The clinic's public notice does not disclose the initial access vector, the dwell time, or the specific tooling used by the intruder. LockBit affiliates have historically gained access through a recurring set of techniques that healthcare defenders should treat as the working threat model in the absence of confirmed details:

• Exploitation of internet-exposed remote access services, including unpatched VPN appliances and RDP
• Valid credentials purchased from initial access brokers
• Phishing and malicious document delivery
• Exploitation of perimeter vulnerabilities in edge devices

LockBit operations typically exfiltrate data prior to encryption to enable double extortion. The fact that LockBit 5.0 was able to publicly claim the attack within 48 hours suggests data staging and exfiltration completed quickly, consistent with the affiliate's typical playbook of rapid lateral movement following initial access.

What Organizations Should Do

Healthcare providers, particularly small and mid-sized practices that may lack dedicated security teams, should consider the following actions:

1. Harden external attack surface. Inventory all internet-facing services, disable unused remote access, enforce MFA on every remote login pathway, and patch edge devices on an aggressive cadence.
2. Deploy and tune EDR across all endpoints and servers. Ensure detections cover credential dumping, lateral movement via SMB and RDP, and unusual archive utility execution that often precedes exfiltration.
3. Restrict and monitor outbound data flows. Establish baselines for normal egress volumes and alert on large transfers to cloud storage, file-sharing services, or unfamiliar destinations.
4. Segment clinical and administrative networks. Limit the blast radius of a single compromised endpoint by isolating systems holding PHI and enforcing least-privilege access.
5. Test offline, immutable backups. Validate that backups are isolated from the production domain and that restoration procedures meet recovery time objectives.
6. Prepare an incident playbook that assumes double extortion. Plan for the scenario in which an attacker publicly claims the breach before forensic scope is established, including legal, regulatory, and communications workflows.
7. Treat pediatric data exposures with elevated downstream support. Offer affected families guidance on credit freezes for minors, available in all 50 states.

Sources: LockBit 5.0 claims attack on Washington pediatric clinic