Rocky Mountain Care, a Utah-based operator of senior care and skilled nursing facilities, disclosed a ransomware attack on March 27, 2026, confirming claims previously made by the Qilin ransomware group. The intrusion occurred between January 30 and February 2, 2026. Qilin posted stolen data samples to its dark web leak site on February 23, threatening full publication within three to four days. Rocky Mountain Care has not confirmed whether the ransom was paid, and a forensic review to determine whether Protected Health Information (PHI) was exfiltrated is still in progress. The breach affects residents across multiple states including DC, Maryland, New Mexico, New York, North Carolina, and Rhode Island — indicating the organization's patient population spans well beyond Utah.

What Happened

Between January 30 and February 2, 2026, an unauthorized party accessed files on Rocky Mountain Care's network in a four-day intrusion window. The organization detected the breach, engaged third-party cybersecurity specialists, and began investigating the scope. Qilin ransomware operators independently confirmed the attack on February 23 by posting the victim to their dark web leak site along with sample data, issuing a deadline of three to four days for ransom payment before publishing the complete dataset.

Rocky Mountain Care did not disclose the incident publicly until March 27, 2026 — nearly two months after the intrusion and over a month after Qilin's public posting. The delay likely reflects the ongoing forensic review to catalog what data was accessed before issuing breach notifications. Attorney general disclosures had not been filed in any state as of the date of publication, despite state-specific notification language already being included in the company's notice — an unusual combination that suggests notifications to states are imminent but not yet complete.

Whether Rocky Mountain Care paid the ransom is unknown. The multi-week gap between Qilin's publication threat and the company's eventual disclosure does not definitively indicate payment or non-payment.

What Was Taken

The specific data categories have not yet been confirmed — Rocky Mountain Care states that a review to determine whether PHI is involved is still underway. However, given the nature of the organization — a senior care and skilled nursing facility network — the population of data on its systems typically includes:

• Patient names, dates of birth, and Social Security Numbers
• Medical records, diagnoses, and treatment histories
• Medicare/Medicaid enrollment and billing data
• Health insurance information and policy details
• Medication records and care plans
• Employee records and personnel files

Senior care facility data is among the most sensitive categories of healthcare information. Patients are elderly, frequently cognitively vulnerable, and less able to actively monitor for identity theft or fraudulent use of their health benefits. The combination of SSNs, Medicare/Medicaid data, and medical histories creates significant identity theft and benefits fraud exposure for an already at-risk population.

Why It Matters

Rocky Mountain Care is one of several senior care and long-term care operators hit by Qilin in early 2026, continuing a deliberate pattern of targeting healthcare organizations where patient data is maximally sensitive and operational disruption pressure is high. Skilled nursing facilities and senior care operators are structurally vulnerable: they operate on thin margins, often run legacy IT infrastructure, and face regulatory pressure to maintain patient care continuity that makes ransom payment a more likely calculation than operational shutdown.

The January 30 – February 2 intrusion window is short, suggesting either rapid detection or a fast-moving attack designed to maximize exfiltration before triggering defenses. Qilin's four-day exfiltration window is consistent with the group's documented double extortion methodology — get in, get the data, deploy ransomware, and create a deadline.

The multi-state patient population also signals scale. Rocky Mountain Care's notification language covering DC, Maryland, New Mexico, New York, North Carolina, and Rhode Island indicates this is not a single-facility regional operator but a network with patient referrals or administrative operations spanning multiple states — meaning the notification and regulatory compliance scope is substantially broader than a local incident.

The Attack Technique

Qilin's documented attack methodology is consistent with this intrusion profile:

1. Initial access — Qilin affiliates commonly exploit unpatched VPN and remote access vulnerabilities, phishing-based credential theft, and abuse of exposed RDP endpoints. Senior care operators frequently run remote access infrastructure for administrative staff and telehealth coordination that may be poorly maintained.

2. Short dwell, fast exfiltration — The four-day access window (January 30 – February 2) suggests the attackers moved quickly rather than conducting extended network reconnaissance. This is consistent with Qilin affiliate operations that prioritize bulk file staging and exfiltration over prolonged lateral movement.

3. Double extortion — Data was exfiltrated before any encryption event. Qilin posted samples and a deadline rather than just deploying ransomware, ensuring leverage even against organizations with working backups.

4. Go-based cross-platform payload — Qilin deploys a Go-based ransomware encryptor capable of targeting Windows environments and VMware ESXi hypervisors. Healthcare organizations running virtual infrastructure are particularly exposed.

The specific initial access vector for the Rocky Mountain Care intrusion has not been publicly confirmed.

What Organizations Should Do

1. Audit and harden all remote access infrastructure immediately — Senior care operators frequently expose VPN concentrators, RDP, and remote management portals for distributed facility administration. Verify patch currency on all remote access devices, enforce MFA on every remote session, and review VPN access logs for anomalous authentication patterns in the 30 days prior to any suspected breach.

2. Segment patient data systems from administrative networks — EMR systems, billing platforms, and patient record databases should sit on isolated network segments with no direct connectivity to general administrative workstations or internet-facing systems. Lateral movement from a compromised admin endpoint to patient records is the path Qilin and similar groups exploit.

3. Implement immutable, tested backups — Qilin's double extortion means backups don't eliminate the data leak threat, but they do eliminate the operational encryption leverage. Air-gapped or immutable backups that are tested for restoration monthly are non-negotiable for healthcare operators.

4. Accelerate breach notification timelines — Rocky Mountain Care's nearly two-month gap between intrusion and public disclosure, while pending forensic review, puts it at risk of HIPAA notification violations. Organizations should establish a 60-day hard cap for PHI breach notification from discovery — not from completion of forensic review — and staff accordingly.

5. Conduct proactive notification to at-risk patient populations — Senior patients exposed in a healthcare breach cannot effectively self-monitor for identity theft or Medicare/Medicaid fraud without explicit guidance. Notification letters should include specific instructions for placing credit freezes, how to monitor Medicare Summary Notices for fraudulent claims, and who to contact at CMS if fraudulent billing is detected.

6. Pre-qualify incident response and forensic vendors — Rocky Mountain Care engaged third-party specialists after the breach was discovered. Pre-qualified IR retainers with healthcare-specialized firms reduce time-to-containment from days to hours — critical when the breach involves patient safety obligations.

Sources

• ClaimDepot — Rocky Mountain Care Discloses Data Breach Following Ransomware Attack