The UK Biobank data breach has intensified scrutiny around the handling and protection of sensitive health information, even when such data is stripped of personally identifiable details. Widely regarded as one of the most significant biomedical research resources in the world, UK Biobank holds extensive genetic, lifestyle, and medical data contributed by around 500,000 volunteers.   The recent data breach at UK Biobank, which involved the unauthorized listing of participant data for sale on a Chinese consumer website linked to Alibaba, has sparked concern among participants, researchers, and cybersecurity experts alike. 

The UK Biobank Data Breach 

The data breach at UK Biobank came to light in April 2026, when officials discovered that de-identified data belonging to participants had been listed for sale online. The listings appeared on a consumer platform owned by Alibaba, sparking immediate concern among researchers and participants alike.  UK Biobank, a biomedical database established in 2003, contains extensive genetic, lifestyle, and health data from around 500,000 UK volunteers. This dataset has been a cornerstone for global medical research, contributing to thousands of discoveries since access was opened to scientists in 2012.  Professor Sir Rory Collins, chief executive and principal investigator of UK Biobank, confirmed the breach in an official statement. He said, “Last week, we found that de-identified participant data made available to researchers at three academic institutions were listed for sale on a consumer website in China, owned by Alibaba.”  He added that with support from UK and Chinese authorities, Alibaba “swiftly removed those listings before any sales were made.” 

Nature of the Exposed Data 

Despite the seriousness of the UK Biobank data breach, officials stressed that the compromised information did not include personally identifiable details. According to Collins, the dataset did not contain names, addresses, dates of birth, or NHS numbers.  “All the data are de-identified,” he said, emphasising that there is no evidence that participants were directly identified as a result of the breach.  However, the incident still represents a violation of strict data access agreements. The data had been shared with three academic institutions under contracts that require secure handling and prohibit unauthorized distribution. Collins described the situation as “a clear breach of the contract,” noting that the institutions and individuals involved have had their access suspended. 

Immediate Response to the Data Breach at UK Biobank 

In response to the data breach at UK Biobank, the organization moved quickly to contain the risk and reassure participants. Access to its research platform has been temporarily suspended while new protection methods are implemented.  Among the measures introduced: 

• Strict limits on the size of files that researchers can export  
• Daily monitoring of all exported files for suspicious activity  
• A comprehensive, board-led forensic investigation  

“These security measures will further minimise the potential for misuse of UK Biobank data,” Collins said.  Researchers typically access the data through a restricted, cloud-based platform hosted in the UK. The system is designed to ensure that sensitive information remains secure while still enabling scientific discovery. Following the breach, additional controls are being layered onto this infrastructure. 

A ransomware attack on Cookeville Regional Medical Center hospital (Tennessee) exposed data of 337,000 people after hackers stole 500GB of sensitive information from its systems.

A ransomware attack on Cookeville Regional Medical Center (CRMC) in Tennessee led to a major data breach affecting about 337,000 people. The attack, carried out by the Rhysida group, involved the theft of around 500GB of data, exposing sensitive information from the hospital.

Cookeville Regional Medical Center detected suspicious activity on July 14, 2025, and quickly launched an investigation with law enforcement and a forensic firm. It found that an unauthorized party accessed its network between July 11 and 14, potentially viewing or stealing sensitive data.

After completing its investigation, CRMC reviewed the affected files and confirmed that personal data was exposed. Depending on the individual, this may include names, addresses, dates of birth, Social Security and driver’s license numbers, financial details, and medical or insurance information. The hospital is notifying affected individuals by mail where possible.

“The forensic investigation determined that an unauthorized third party accessed CRMC’s computer network and viewed or acquired certain files between July 11, 2025, and July 14, 2025. Based on the results of its investigation, CRMC conducted a comprehensive review of the affected files to determine if they contained any personal information that was viewed or acquired by the third party.” reads the notice of data breach “CRMC identified the personal information of certain individuals. Depending on the individual, the personal information may include their name, address, date of birth, Social Security number, driver’s license number, financial account number, medical treatment information, medical record number, and/or health insurance policy information. CRMC is mailing notification letters to individuals for whom they have a valid address and whose information was in the affected files.”

CRMC advises affected individuals to follow the guidance in notification letters to protect themselves. While no misuse of data has been confirmed, the hospital offers free identity theft protection to those impacted. People should monitor accounts and credit reports, report suspicious activity, and contact authorities if fraud is suspected. They can also consult FTC resources for tips on fraud alerts and credit protection.

According to the notification sent to the Maine Attorney General’s Office, the incident impacted 337,000 people.

In August 2025, the Rhysida ransomware group added the healthcare organization to its Tor data leak site, claiming the theft of 538 GB of data.

However, none bought the stolen data, and the group leaked it for free.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

ASEC Blog publishes Ransom & Dark Web Issues Week 3, April 2026           Emergence of New Ransomware Groups: TiMC, BlackWater, and Lamashtu [1], [2], [3] NoName05716 Claims DDoS Attacks on South Korean Public & Private Sectors [1], [2], [3] VECT & TeamPCP Campaign: Supply Chain Attack Exploiting Global Travel Platform

Dutch healthcare IT firm ChipSoft suffered a ransomware attack, forcing services and its HiX platform offline, impacting hospitals and patients.

ChipSoft, a major Dutch provider of EHR systems, was hit by a ransomware attack that forced it to take its website and digital services offline, disrupting access for hospitals, healthcare providers, and patients.

EHR (Electronic Health Record) is a digital version of a patient’s medical history, stored and managed by healthcare providers.

The company’s flagship HiX platform, widely used across the Netherlands, was impacted, with users reporting outages earlier this week.

The ransomware attack occurred on April 7, and the Dutch CERT Z-CERT has been coordinating closely with the vendor and healthcare institutions. As a precaution, access to key services like Zorgportaal, HiX Mobile, and Zorgplatform was disabled, with systems now being gradually restored and new credentials issued to users.

Hospitals have mainly faced logistical disruptions, such as increased calls and added support staff, according to the Dutch CERT, no critical care services have been halted. Z-CERT continues to assist by providing guidance, monitoring the situation, and helping organizations detect, respond to, and recover from the incident while minimizing its overall impact.

“As previously reported, software vendor ChipSoft was hit by a ransomware attack on Tuesday, April 7. Since then, Z‑CERT has been in constant contact with ChipSoft, healthcare institutions, and other involved parties to monitor the situation and provide appropriate support.” reports the Dutch Z‑CERT.

“ChipSoft maintains direct contact with users of the software and provides them with a course of action. In their communication, ChipSoft indicates that all connections to the Zorgportaal, HiX Mobile, and the Zorgplatform have been disabled as a precaution and are currently unavailable. ChipSoft has started bringing the systems back online in phases, during which users are receiving new login credentials. Z‑CERT continues to closely monitor these developments and will inform participants as soon as there is reason to do so.

Local media [1, 2] confirmed the cyberattack, citing an internal memo warning of possible unauthorized access. The company told healthcare providers it is working to limit the impact and advised them to disconnect from its systems until remediation and cleanup activities are fully completed.

Hospitals in Roermond and Weert closed patient portals after the ransomware attack on ChipSoft, blocking access to records and appointments. Care continues, but staff assist patients due to system outages. Other hospitals report limited or no impact, with systems monitored.

“Most hospitals have not taken their patient portals offline. Eleven hospitals have done so, according to a survey by the NOS. At least nine of these are hospitals that have linked their patient records to ChipSoft’s systems to a greater extent than most other hospitals.” reported the Dutch media NOS.

Patient portals at several Belgian hospitals also went offline after the cyberattack on ChipSoft. The disruption affected multiple facilities, highlighting the cross-border impact of attacks on shared healthcare IT providers.

“Online patient portals at several Belgian hospitals went offline following a cyberattack targeting a Dutch software provider, daily Le Soir reported Friday. The disruption affects patient portals at Hospital aan de Stroom in Antwerp, Hospital Oost-Limburg, and Delta Hospital in Roeselare.”

“The incident is linked to a cyberattack on Netherlands-based software company ChipSoft, which supplies electronic patient record systems and healthcare platforms.” reported the Belgian website AA.

Cyberattacks targeting healthcare IT providers are especially dangerous and attractive to threat actors because these companies act as centralized hubs serving many hospitals and clinics at once. By compromising a single provider, attackers can potentially access or disrupt multiple organizations simultaneously, amplifying the impact. These systems store and process vast amounts of highly sensitive data, such as medical records, personal information, and billing details, which can be exploited for extortion, fraud, or resale.

In addition, healthcare operations depend heavily on the availability of these platforms. Any disruption can affect patient care, creating urgency for rapid recovery. This pressure often makes victims more likely to pay ransoms, increasing the financial incentive for attackers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, healthcare)

Dutch healthcare software vendor ChipSoft has been impacted by a ransomware attack that forced the company to take offline its website and digital services for patients and healthcare providers. [...]

Massachusetts’ Signature Healthcare diverts ambulances and cancels services after a cyberattack disrupts hospital operations and pharmacy access.

The hospital Signature Healthcare in Brockton, Massachusetts, diverted ambulances and canceled some services after a cyberattack disrupted operations. Pharmacies couldn’t fill prescriptions, though urgent care and walk-in services remained open.

Signature Healthcare Brockton Hospital is a non-profit community teaching hospital in Brockton, Massachusetts, founded in 1896. It has about 216 beds and serves over 20 surrounding communities, offering services such as medical, surgical, pediatric, and obstetric care, along with advanced diagnostics. The hospital is affiliated with Beth Israel Deaconess Medical Center and plays a key role in the regional healthcare system.

The hospital, part of a network with 15 locations and 150+ physicians, reported the cybersecurity incident on Monday.

“Signature Healthcare and Signature Healthcare Brockton Hospital are currently responding to a cybersecurity incident that has affected certain information systems within our health system.” reads a statement from the healthcare organization. “Upon identifying suspicious activity within a portion of our network, we immediately activated our incident response protocols. We moved to down-time procedures to ensure high-quality patient care and safety. We are working with outside resources to help us investigate the incident and restore operations as quickly as possible.”

The organization has not confirmed a ransomware attack, and the attackers’ motivation are still unknown. At this time, no ransomware group has claimed responsibility for the attack.

It is unclear if threat actors have stolen sensitive data.

Healthcare organizations are prime cybercrime targets due to valuable data, operational urgency, and complex systems. Medical records contain sensitive personal and financial information, making them highly profitable. Hospitals cannot afford downtime, increasing the likelihood of ransom payments. Their large, interconnected networks, legacy devices, and many users expand the attack surface. Combined with often limited cybersecurity maturity, these factors make healthcare an attractive and vulnerable target.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Signature Healthcare)

The post What the 2025 healthcare cybersecurity claims data reveals appeared first on Resilience.

The post What the 2025 healthcare cybersecurity claims data reveals appeared first on Security Boulevard.

Healthcare IT firm CareCloud has disclosed a data breach incident that exposed sensitive data and caused a network disruption lasting approximately eight hours. [...]

A new info-stealing malware called Torg Grabber is stealing sensitive data from 850 browser extensions, more than 700 of them for cryptocurrency wallets. [...]

LAPSUS$ claims it breached AstraZeneca, offering alleged source code, credentials, cloud configs, and employee data for sale in leaked samples.

In episode 459 of Smashing Security, we dive into a chillingly clever account takeover attempt targeting WordPress co-founder Matt Mullenweg - involving MFA fatigue, real Apple alerts, a convincing support call, and a phishing page that oh-so-nearly worked. If a famous techie could have this happen to you, can you be sure you're immune? Plus: would you donate your lifetime medical history to science if you were promised anonymity? We unpack serious concerns around UK Biobank, where “de-identified” data may not be as anonymous as you think — and how surprisingly little information it takes to reveal everything. And! Human-powered “AI”, and a punishment worse than prison: eight hours on the RSA expo floor... All this, and much more, in episode 459 of the "Smashing Security" podcast with cybersecurity veteran and keynote speaker Graham Cluley, and special guest Paul Ducklin.

A breach at Cognizant’s TriZetto Provider Solutions exposed sensitive health data belonging to more than 3.4 million patients.

A data breach at Cognizant’s TriZetto Provider Solutions exposed sensitive information belonging to more than 3.4 million patients. At this time, no ransomware group has claimed responsibility for the attack yet.

TriZetto Provider Solutions is a healthcare technology provider that develops software and services for medical practices, hospitals, and insurers. It offers tools for billing, revenue cycle management, claims processing, and administrative workflows used across the healthcare ecosystem.

On October 2, 2025, the company detected suspicious activity in a web portal used by healthcare providers. An investigation revealed that, starting in November 2024, an unauthorized actor accessed records linked to insurance eligibility verification transactions. The firm engaged cybersecurity experts, notified law enforcement, and began informing affected providers in December 2025.

Around November 28, 2025, TriZetto determined the breach may have exposed personal and health data, including names, addresses, birth dates, Social Security numbers, insurance details, and provider information. Financial data was not affected, and no identity theft or fraud linked to the incident has been reported so far.

“On or around November 28, 2025, TPS learned that the affected data may have included your name, address, date of birth, Social Security number, health insurance member number (which, for some individuals, may be a Medicare beneficiary identifier), provider name, health insurer name, primary insured information, and other demographic, health, and health insurance information.” reads the data breach notification letter shared with the Maine Attorney General Office. “The incident did not affect any payment card, bank account, or other financial information. At this time, we are not aware of any identity theft or fraud related to the use of any affected individual’s information, including yours.”

After discovering the incident, the company implemented additional safeguards to better protect its systems and services.

TriZetto is offering a 12-month free identity protection services, including credit monitoring, credit reports, and credit score alerts for a limited period. The company also provides proactive fraud assistance through Kroll, a firm specializing in identity protection and fraud remediation.

Although no identity theft or fraud has been linked to the breach so far, individuals are encouraged to remain vigilant. This includes reviewing financial statements, monitoring credit reports, and reporting suspicious activity to banks or financial institutions. A dedicated support line has also been set up to provide additional information and assistance.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

TriZetto Provider Solutions, a healthcare IT company that develops software and services used by health insurers and healthcare providers, has suffered a data breach that exposed the sensitive information of over 3.4 million people. [...]

The University of Mississippi Medical Center (UMMC) says it has resumed normal operations, nine days after a ransomware attack blocked access to electronic medical records and took down many of its IT systems. [...]

The University of Hawaii confirmed that a ransomware gang stole the data of nearly 1.2 million individuals in August 2025 after breaching its Cancer Center's Epidemiology Division. [...]

Healthcare is the most targeted industry for cyberattacks, and ransomware-related delays in care have been linked to patient deaths. D3 Morpheus gives healthcare SOC teams an AI-autonomous platform that correlates alerts across the entire security stack, identifies ransomware kill chains in progress, and produces the audit-ready evidence trail that HIPAA and HITECH demand.

The post Cyberattacks on Hospitals Cost Lives. Here’s How to Fight Back at Machine Speed. appeared first on D3 Security.

The post Cyberattacks on Hospitals Cost Lives. Here’s How to Fight Back at Machine Speed. appeared first on Security Boulevard.

American manufacturer of medical devices, UFP Technologies, has disclosed that a cybersecurity incident has compromised its IT systems and data. [...]

Everest ransomware claims an attack on diagnostic firm Vikor Scientific (Vanta Diagnostics), exposing data of nearly 140,000 people.

The Everest ransomware group has claimed responsibility for a cyberattack on Vikor Scientific, now operating as Vanta Diagnostics. The healthcare diagnostic firm disclosed a data breach impacting nearly 139,964 individuals, as reported by the US Department of Health and Human Services (HHS).

The incident stems from the attack on Catalyst RCM, a third-party provider of revenue cycle management services. Around November 13, 2025, Catalyst detected suspicious activity in its secure file system. The company launched an investigation into the incident that revealed that an authorized login was misused to access a server on November 8–9, 2025, and copy data without permission.

In November 2025, the Everest ransomware group added Vikor Scientific and its affiliated labs, KorPath and Korgene, to its Tor data leak site. Catalyst RCM likely did not pay the ransom, and the cybercrime gang published allegedly stolen data, including Vikor Scientific documents.

The group claimed the theft of “internal company documents contains a huge variety of personal documents, EMRs, Patient’s private information, Billing information etc.”.

Everest claimed the theft of the Vikor Scientific database containing 25,303 PDF files (9.39 GB) and Korgene database containing 1,344 PDF Files (505 mb).

Catalyst reviewed the information to identify sensitive data and notify potentially affected individuals, completing this process by December 12, 2025.

“The categories of information that may be involved varies by individual, but could include some combination of name, date of birth, payment card information with access code, medical treatment, history, or diagnosis information, and health insurance information.” reads the data breach notification published by Catalyst RCM.

After discovering the breach, Catalyst notified partners and conducted a thorough review of potentially compromised data, updating policies to prevent future incidents. The company is not aware of any identity theft or fraud, they offer free credit monitoring and identity restoration to the impacted people. Individuals are encouraged to monitor accounts, review credit reports, and follow guidance on freezes, alerts, and protecting personal information.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Vikor Scientific)

North Korean state-backed hackers associated with the Lazarus threat group are targeting U.S. healthcare organizations in extortion attacks using the Medusa ransomware. [...]

The BlackBasta ransomware group’s leaked chat logs have proven to already be another unique and fascinating opportunity for researchers to better understand the internal operations of a Russia-based organised cybercrime enterprise. These leaks followed a major leak of Conti chat logs in 2022, which also proved to be a treasure trove of intelligence on the cybercrime enterprise. The BlackBasta gang consists of former Conti ransomware members and it should come as no surprise that their operations are similar in nature and structure.

Ransomware researchers have several valuable resources to conduct investigations with nowadays. This includes ransomware.live, which contains several resources including ransomch.at, a collection of negotiation chats between ransomware gangs and their victims, as well as the ransomware tool matrix and ransomware vulnerability matrix. These resources allow to deeply understand the capabilities and motivations of these ransomware gangs. However, leaked chat logs are the final missing piece of the puzzle and offer a deeper understanding from the cybercriminal’s very own perspective and organisational structure.

Active since April 2022, BlackBasta is one of the top-tier ransomware gangs and one of the largest cybercrime enterprises in the world. According to the US Cybersecurity Infrastructure and Security Agency (CISA), BlackBasta impacted up to 500 different businesses and critical infrastructure in North America, Europe, and Australia as of May 2024.

The importance of the Ascension Health incident

This blog shall dive deep into the Ascension Health attack by BlackBasta. It is a step-by-step extraction of the conversation between the BlackBasta members while they decide how to handle the attack.

The new insights around how BlackBasta and other ransomware gangs perceive being involved with incidents at healthcare sector victim should prove useful for incident responders, law enforcement, and governments that have to resolve these types of attacks on the healthcare sector on an alarmingly regularly basis.

Background

On 9 May 2024, mainstream news organisations in the US reported about a cyberattack and significant disruption of services of Ascension Health, one of the largest healthcare providers in the country. On 11 May 2024, BleepingComputer reported that BlackBasta was to blame for the attack on Ascension Health and that ambulances had been disrupted and patients were being redirected to other hospitals.

How the Incident Began

The BlackBasta attack on Ascension Health began many months before the ransomware was deployed on their network. Reconnaissance of Ascension Health by members of BlackBasta began around 3 November 2023. They shared 14 email addresses of Ascension Health employees, which we can only assume were used for phishing or password guessing. Ransomware gangs often used Zoominfo to profile their targets to determine whether it is worth it for them to attack and get a ransom from them.

The ransomware gang themselves wrote in their Matrix chat that CBS News had written about a cyberattack on Ascension Health on 9 May 2024 and exclaimed that “it looks like one of the largest attacks of the year.”

Another BlackBasta member “gg” confirmed in the chat that it was them and appeared to be surprised that the news was writing about it.

Later, “gg” appeared to feel bad about the attack and concerned that cancer patients were suffering. However, at this stage it is hard to tell if they are serious or being sarcastic.

One member of BlackBasta who used the moniker “tinker” then stated that he wanted to be the negotiator for the BlackBasta team and began to strategize how to extract a ransom payment.

“gg” says they encrypted Ascension Health’s network using the Windows Safe Mode Boot technique, which is a function that BlackBasta is well-known to do.

The negotiator, “tinker” begins to weigh up their options. He states he believes the FBI and CISA will be involved, as well as Mandiant and begins to compare the incident to the Change Healthcare attack by ALPHV/BlackCat (and later RansomHub) who received a 22 million USD ransom payment.

“gg” shares that all the stolen data was put on a server named “ftp8” and tagged as “ALBIR_DS” and says to “tinker” that he should “look at the folder name, everything we downloaded from them is there."

The operator, “gg” also shared a summary of the target environment of Ascension Health. This includes number of servers being over 12,000, what security tools they use such as Cylance, Tanium, and McAfee. Plus, “gg” said they downloaded over 1.4TB of data to "ftp8" and used BlackBasta ransomware version 4.0 and attacked them on 8 May 2024.

Interestingly, “gg” appears to have also recommended to bluff to the victim that they stole more than 1.5TB and say to the victim that they stole 3TB instead.

Negotiation Strategizing

After having established the details of the incident, Tinker (the negotiator) began to wonder about the likelihood of getting a ransom payment as well as estimate how much Ascension Health is likely losing per day.

Tinker (negotiator) then explains to the rest of the BlackBasta members involved in the attack what course of action they should take to get the ransom from Ascension Health. Tinker says they would normally set a 3% of the annual revenue and negotiate from there. They note that there are clear problems with the victim being a hospital and that this attack followed the Change Health attack by ALPHV/BlackCat. They also noted that they are worried as they believe the US National Security Agency (NSA) attacked TrickBot's servers four years ago and that the FBI took down Qakbot more recently. Tinker is  also worried that one of Ascension Health’s patients will die and they will be blamed and labelled as a terrorist attack.

Tinker also noted that when BlackSuit attacked Octapharma that it was labelled by the news as "hostile actions by Russia" and they warned that Conti was already under sanctions and that because they are tied to Conti they may not get paid.

Tinker, ransomware negotiator for BlackBasta, ultimately recommended giving the decryptor for free to Ascension Health and resorting to data theft extortion. This is notable, as it is a similar situation to the Irish HSE ransomware attack by Conti, who also provided the decryptor for free.