Open Door Health Center: INC Ransomware Claim

"On May 25, 2026, the INC ransomware group (also tracked as INC Ransom / incransom) added Open Door Health Center (ODHC) to its dark web leak site, claiming to have exfiltrated data from the Illinois-based healthcare…"

On May 25, 2026, the INC ransomware group (also tracked as INC Ransom / incransom) added Open Door Health Center (ODHC) to its dark web leak site, claiming to have exfiltrated data from the Illinois-based healthcare provider. ODHC, operating under odhc.org since 1977, serves a vulnerable patient population that includes LGBTQI individuals and people living with HIV/AIDS. The claim remains unverified by Yazoul Security, with no data samples or download links currently posted by the group.

What Happened

The listing surfaced on INC's leak site on May 25, 2026, and was documented by Yazoul Security two days later. INC's post described ODHC's medical home model in detail, referencing its HIV programs, behavioral health services, case management, and community outreach offerings. The group did not disclose the volume of data allegedly stolen, the intrusion vector, or any ransom demand. As of publication, no proof-of-compromise samples have been released, which is consistent with INC's early-stage extortion playbook of pressuring victims before publishing evidence. ODHC has not issued a public statement confirming or denying the incident.

What Was Taken

INC has not specified the nature or volume of the allegedly exfiltrated dataset. Given the targeted organization's clinical scope, plausible exposure categories include:

Patient medical records and treatment histories
HIV/AIDS status and related health information
Behavioral health assessments and case management notes
Personally identifiable information (PII) including names, addresses, and Social Security numbers
Insurance, billing, and payer information
Internal corporate documents, employee records, and operational data

The sensitivity profile here is unusually high. HIV status and LGBTQI-related health data carry heightened stigma and discrimination risk, and unauthorized disclosure could trigger HIPAA enforcement actions, state breach notification obligations, and significant patient harm.

Why It Matters

This claim, even unverified, reinforces a pattern Yazoul has tracked through 2025 and into 2026: ransomware actors actively prioritizing community health centers and small-to-mid healthcare providers whose security budgets do not match the sensitivity of the data they hold. INC in particular has shown a willingness to publish stolen healthcare data when negotiations stall.

For defenders, the targeting of a clinic serving stigmatized populations raises the coercive leverage available to the attacker. Victim organizations face pressure not just from regulators and patients, but from the prospect of identity-level harm to people who may already face housing, employment, or familial consequences from disclosure. That asymmetry tends to inflate ransom demands and shorten negotiation windows.

The Attack Technique

INC's initial access vector against ODHC has not been disclosed. Based on prior incident reporting, INC affiliates have historically relied on phishing, exploitation of unpatched internet-facing appliances (notably Citrix NetScaler / CVE-2023-3519 in earlier campaigns), and abuse of valid credentials obtained from infostealer logs or initial access brokers.

Once inside, INC has been observed leveraging the following toolset:

Mimikatz for credential dumping and lateral movement
AdFind for Active Directory reconnaissance
Advanced IP Scanner and SoftPerfect NetScan for internal network enumeration
Finger for user enumeration on remote systems
7-Zip for staging and compressing data prior to exfiltration
MEGA and BackBlaze for cloud-based exfiltration

No public YARA rules or vendor-specific detections are currently available for INC payloads, making behavioral telemetry the primary detection surface.

What Organizations Should Do

Healthcare providers, particularly community health centers with overlapping risk profiles, should take the following actions:

Hunt for INC tradecraft. Build detections for unsanctioned use of AdFind, Advanced IP Scanner, SoftPerfect NetScan, and Mimikatz, and alert on suspicious 7-Zip archiving of large directories outside of backup windows.
Block or monitor exfiltration channels. Restrict outbound traffic to MEGA and BackBlaze at the egress layer unless there is a documented business need, and alert on large uploads to consumer cloud storage.
Harden identity. Enforce phishing-resistant MFA on all remote access, VPN, and email; rotate credentials known to appear in infostealer marketplaces; and audit service account permissions in Active Directory.
Patch internet-facing edge devices. Prioritize VPN concentrators, file transfer appliances, and remote access gateways, which remain INC's most common entry points.
Validate offline, immutable backups. Test restoration of EHR and clinical systems against a tabletop ransomware scenario, and ensure backup credentials are segmented from production AD.
Prepare a sensitive-data breach response plan. For organizations handling HIV status or LGBTQI-related care data, pre-draft patient notification language with counsel and align with HHS OCR HIPAA breach notification requirements.

Sources: Open Door Health Center Ransomware Claim by INC (May 2026)