On April 6, 2026, Signature Healthcare, operator of Brockton Hospital in Massachusetts, detected a significant ransomware attack that forced the facility into emergency downtime procedures and disrupted patient care for roughly two weeks. The Anubis ransomware-as-a-service group claimed responsibility on April 9, asserting it had stolen more than 2 terabytes of sensitive data. The intrusion diverted ambulances, canceled chemotherapy infusions, and pushed staff back to paper records before the hospital reached recovery milestones by April 15.
What Happened
The attack triggered full emergency downtime at Brockton Hospital. Ambulances were diverted to other facilities, chemotherapy infusions were temporarily canceled, and clinical staff reverted to paper-based workflows. The electronic medical record (EMR) system and patient portal were taken offline, delaying lab work and medical testing. For approximately two weeks, the hospital could not fill new prescriptions or fulfill requests for medical records, severely degrading clinical operations.
On April 9, 2026, the Anubis ransomware-as-a-service group claimed the attack and posted a countdown clock to its dark web leak site, demanding a ransom payment. The group later temporarily removed the post, creating uncertainty about whether negotiations had begun. By April 15, Brockton Hospital had resumed accepting ambulances, with CEO Bob Haffey crediting round-the-clock efforts by IT and clinical staff for the recovery progress.
What Was Taken
Anubis claims to have exfiltrated over 2 terabytes of sensitive data from Signature Healthcare and Brockton Hospital. While the full contents have not been independently confirmed, a health system of this profile typically holds electronic protected health information (ePHI), including patient demographics, medical records, treatment histories, and potentially billing and insurance data.
The scale of the alleged theft, combined with the offline EMR and patient portal, points to a deep intrusion into core clinical and administrative systems. Anubis is known for a dangerous "wipe mode" capability that can permanently destroy stolen data if a ransom is not paid, raising the stakes well beyond a standard extortion threat.
Why It Matters
This incident highlights the acute vulnerability of smaller community hospitals and regional health systems, which often lack the cybersecurity resources of larger institutions yet provide irreplaceable local emergency care. The diversion of ambulances and cancellation of treatments represent direct patient safety risks that extend far beyond data loss.
The theft of ePHI also raises serious HIPAA compliance concerns and may trigger regulatory investigations and litigation. Anubis's emerging tactics, blending data exfiltration with destructive wipe threats, signal an escalation in how ransomware operators pressure healthcare victims, where downtime measured in weeks translates directly into delayed diagnoses and interrupted life-critical care.
The Attack Technique
The specific initial access vector has not been publicly disclosed. However, Anubis operates as a ransomware-as-a-service (RaaS) operation, meaning affiliates carry out intrusions using a shared toolkit and infrastructure. Affiliate-driven attacks against healthcare commonly begin with phishing, stolen or weak credentials, exposed remote access services, or unpatched perimeter devices.
The hallmark of this campaign is double extortion enhanced with destruction: data is exfiltrated, systems are encrypted, and victims are threatened with permanent data wiping if they refuse to pay. The countdown clock and the later removal of the leak-site post are consistent with Anubis's pressure-driven negotiation playbook.
What Organizations Should Do
- Maintain tested, offline (immutable) backups of EMR, imaging, and critical clinical systems so recovery does not depend on the attacker's cooperation.
- Implement network segmentation to isolate clinical, administrative, and patient-facing systems, limiting lateral movement and blast radius.
- Enforce phishing-resistant multi-factor authentication on all remote access, VPNs, and privileged accounts to close common affiliate entry points.
- Build and rehearse downtime and continuity-of-care procedures so emergency care, chemotherapy, and lab services can continue during EMR outages.
- Deploy monitoring for large outbound data transfers to detect exfiltration before encryption or wipe threats are executed.
- Pre-stage an incident response plan with legal, regulatory (HIPAA breach notification), and law enforcement contacts to accelerate coordinated response.
Sources: Anubis Ransomware Group Targets Brockton Hospital, Disrupting Patient Care for Weeks – MedRisk
TWEET: Signature Healthcare's Brockton Hospital breached by Anubis ransomware. 2TB+ stolen, ambulances diverted, care disrupted for weeks. Full breakdown: https://wasteland.me/intel/signature-healthcare-brockton-hospital-anubis-ransomware #CyberSecurity #ThreatIntel