Signature Healthcare and its Brockton Hospital facility in Massachusetts are entering their second week of disrupted operations following a cyberattack discovered on April 6, 2026. The Anubis Ransomware-as-a-Service (RaaS) group has claimed responsibility, alleging it exfiltrated two terabytes of data. Ambulance diversions remain in effect, EHR systems are offline, and the health system has told local media that downtime procedures will continue for at least two more weeks.

What Happened

On April 6, Signature Healthcare detected suspicious activity within its information systems and immediately activated downtime procedures. The attack forced the diversion of ambulance traffic away from Brockton Hospital, a measure still in place as of April 10 according to the organization's latest public update. Clinical providers have reverted to paper-based workflows as electronic health record systems remain down. Retail pharmacies affiliated with the system are open for consultations but cannot fill prescriptions. The patient portal is inaccessible, lab work is processing at a significantly reduced pace, and requests for medical records cannot be fulfilled. Chemotherapy infusion services have resumed, and surgeries and scheduled procedures are continuing, suggesting some degree of clinical stabilization even as IT systems remain offline.

What Was Taken

Anubis claims to hold two terabytes of exfiltrated data and is using the threat of its release to pressure Signature Healthcare into paying a ransom. While the exact contents of the stolen data have not been publicly confirmed, a health system of this size typically stores protected health information (PHI), insurance and billing records, employee data, and internal operational documents. Given the volume claimed, the breach likely spans patient records, financial data, and potentially clinical research or administrative files. Signature Healthcare has not commented on the validity of the claim.

Who Is Anubis

Anubis is a Ransomware-as-a-Service operation first observed in late 2024. According to threat intelligence firm SOCRadar, the group treats encryption, data theft, access resale, and data destruction as interchangeable tools rather than sequential stages of an attack. This modular approach gives operators significant flexibility in how they pressure victims. Most notably, Anubis features a "wipe mode" capability that overwrites files rather than encrypting them, enabling permanent data loss that cannot be reversed even if a ransom is paid. This positions Anubis closer to destructive malware than traditional ransomware and dramatically escalates the operational risk for any targeted organization.

Why It Matters

Healthcare remains the most consequential sector for ransomware attacks because disruptions translate directly into patient safety risks. Ambulance diversions force emergency patients to travel further for care. Paper-based workflows increase the likelihood of medication errors, missed allergies, and delayed diagnoses. The inability to fill prescriptions or provide medical records creates cascading harm for patients with chronic conditions. The Anubis group's wipe capability introduces an additional dimension: even organizations prepared to pay may find their data unrecoverable. This incident reinforces that healthcare systems must plan for destructive attacks, not just extortion scenarios.

What Organizations Should Do

Sources: Cyberattack continues to disrupt operations at Signature Healthcare | TechTarget