The State of Ransomware: February 2026

February recorded 82 publicly disclosed ransomware incidents, with healthcare emerging as the most targeted sector, accounting for 31% of reported attacks. Organizations across 20 countries disclosed incidents during the month, with the United States the most affected with 51 incidents. A total of 24 ransomware groups were linked to publicly claimed attacks, led by Shiny Hunters with eight incidents, followed by Qilin with six. Notably, 41% of attacks were not yet attributed to any known ransomware group.

Find out who made ransomware headlines in February. 

1. Nova Biomedical recently eported a data security incident it experienced last year compromised the sensitive personal information of 10,764 individuals. Unauthorized access to internal networks was discovered on December 18, 2025, prompting an investigation to be immediately launched to determine the nature and scope of the incident. The compromised data included names and other personal identifiers including SSNs. 

2. According to a notice on its company website, Hosokawa Micron Corporation suffered from a cyber incident in early February. The incident did not impact business operations, but the organization did confirm that electronic files were accessed by threat actors. Everest claimed responsibility for the attack, allegedly stealing 30GB of data. The group’s dark web post also included a number of screenshots of stolen documents, posted as proof of claims.  

3. Everest ransomware group claimed to have breached Iron Mountain, a major global data management and storage firm, alleging the theft of around 1.4 TB of internal and client-related information and threatening to publish it if their demands weren’t met. While screenshots of allegedly compromised directories were posted on the group’s dark web leak site, Iron Mountain has stated that the incident was limited to a single folder of marketing materials accessed via a compromised credential and that no ransomware was deployed on its core systems.

4. It was announced that Onze-Lieve-Vrouw Instituut (OLV) Pulhof, a secondary school in Berchem, Belgium, suffered a ransomware attack shortly after the Christmas break. The attack disrupted its internal systems and prompted threats to leak or sell sensitive data relating to students and staff unless a ransom was paid. BitLock, who were reported to be responsible for the incident, initially demanded around €100,000, later lowering it to about €15,000, but the school declined to engage or pay, following guidance from authorities. In a troubling escalation, the threat actors then contacted parents directly, demanding €50 per child and threatening to expose personal information if payments were not made. Belgian prosecutors confirmed an ongoing investigation, and the school has advised parents not to comply with payment requests as it works to secure its systems and assess the impact.

5. INC ransomware group has claimed responsibility for a cyberattack on UK-based management software provider Distinctive Systems. The group added the company to its data leak site, publishing what it says are internal documents and contracts as evidence of the breach. Distinctive Systems confirmed it is investigating a cybersecurity incident that occurred in January and stated that all appropriate notifications have been made at this stage of the investigation.

6. Neurological Associates of Washington confirmed it notified 13,500 state residents of a December 2025 cyberattack which led to a data breach. Data compromised includes names, SSNs, diagnoses, medical information, and other types of personal information. The clinic confirmed that its facilities server that stored medical records was attacked and encrypted. DragonForce took credit for the attack, claiming to have stolen 1.4 TB of data from the clinic. Sample images of allegedly stolen documents were added to DragonForce’s dark web post. 

7. Everest ransomware group claimed it had breached internal systems associated with Poly, the enterprise communications business now part of HP Inc., alleging the theft of around 90 GB of internal data and posting screenshots on its leak site as supposed proof. The materials shared appear to show engineering files, code listings and documentation tied to legacy Polycom systems, the brand HP acquired in 2022, rather than current production environments, and there is no independent confirmation that HP’s current networks or customer data were compromised. HP has acknowledged the allegations and said it is investigating, but so far has found no evidence of an active breach or impact to its customer systems.

8. Match Group, the operator of popular dating services including Match.com, Hinge, OkCupid, and Tinder, confirmed it experienced a cybersecurity incident after the threat actor group ShinyHunters claimed to have obtained and posted millions of records and internal files linked to its platforms. Match Group said the unauthorized access was quickly terminated and that it is investigating the matter with external experts, stressing that there is no evidence attackers accessed user login credentials, financial data, or private messages, though a limited amount of user-related information and internal documents were exposed and affected individuals are being notified as appropriate.

9. ShinyHunters claimed it had breached Bumble Inc., alleging the theft of roughly 30 GB of internal data from cloud services such as Google Drive and Slack and posting it on its leak site. Bumble confirmed that a contractor’s account was compromised in a phishing attack, which allowed brief unauthorized access to a limited portion of its systems, but said the incident was quickly contained. The company emphasized that no member database, user accounts, private messages or dating profiles were accessed, and it has engaged external cybersecurity experts and law enforcement to investigate the situation.

10. German insurer HanseMerkur, headquartered in Hamburg, has been listed on DragonForce’s dark web leak site following claims of a ransomware attack in early 2026, with threat actors alleging they exfiltrated nearly 97GB of internal data, including financial documents such as invoices, tax records, and vouchers, as well as possible files linked to partner Emirates Insurance. HanseMerkur has not publicly confirmed the incident or disclosed any operational impact.

11. Maryland-based Lakeside Title Co. is the target of a proposed class action lawsuit following an alleged ransomware attack. The suit claims inadequate data security exposed personally identifiable information of thousands of customers and employees. Play ransomware group claimed responsibility for the attack but did not provide detailed information relating to type of amount of data stolen during the incident. 

12. Central Ozarks Medical Center notified 11,818 individuals that some of their personal and protected health information was compromised during a November 2025 cyberattack. The types of information compromised includes names, SSNS, financial account information, medical treatment information, and health insurance information. No further information relating to this attack has been made public. 

13. Philippine tech firm Lenotech Corporation was allegedly targeted in a ransomware attack when the Tengu ransomware group listed the company on a dark web leak site, claiming to have exfiltrated around 136 GB of internal data and threatening to publish it if negotiations did not begin. The samples posted reportedly include internal directories and service-related files, but Lenotech has not publicly confirmed the incident.

14. In Denver, Clinic Service Corporation confirmed that it had experienced a hacking incident which led to the exposure of sensitive information. A forensic investigation confirmed that its network had been accessed for a seven-day period in August 2025. Both PII and PHI was compromised during the incident. 82,331 individuals were impacted.

15. Insightin Health announced that it experienced a cyberattack in September 2025 that led to the unauthorized access of patient data. A data review revealed that exposed files included protected health information associated with its clients. Medusa claimed responsibility for the attack and threatened to publish the stolen data. The group claims to have exfiltrated 378 GB of data from the organization. 

16. Shiny Hunters claimed responsibility for a November cyberattack on the University of Pennsylvania in Philadelphia. The ransomware group published datasets that it claims contain more than one million records belonging to the university. The university did not specify the exact categories of data involved, stating only that systems related to alumni relations and fundraising had been accessed. During the incident, attackers sent emails to alumni from official university email accounts announcing the intrusion. 

17. Shiny Hunters also published datasets of more than one million files allegedly belonging to Harvard University. The university confirmed that it had suffered a cyberattack in November which compromised its alumni systems. Attackers used phone calls to trick individuals into clicking malicious links or opening harmful attachments. Harvard confirmed that exposed information included contact information, donation details and other biographical data connected to alumni engagement and fundraising activities. 

18. Customers of newsletter platform Substack were warned that email addresses, phone numbers and other metadata were leaked in a recently discovered data breach. The platform stated that it discovered a problem within its systems in early February that allowed an unauthorized third-party to access limited user data. Credit card numbers, passwords and other financial data were not leaked. The statement made by the company followed an unknown hacker claiming to have stolen personal information of about 700,000 users. 

19. Beacon Mutual Insurance Company confirmed it was the victim of a cyberattack in January. A notice was posted on the organization’s website following requests for comments prompted by Beacon’s appearance on ransomware tracking websites. It was confirmed that the company’s production environment was not involved in the incident, but that the company’s network was disconnected as a preventative measure. INC took responsibility for the attack, claiming to have pilfered 275 GB of highly sensitive internal data from Beacon, adding screenshots to its leak site as proof of claims. 

20. Romania’s national oil pipeline operator Conpet confirmed it was hit by a cyberattack that disrupted its corporate IT systems and took its public website offline while its core pipeline operations continued unaffected. The company said it is investigating the incident with national cybersecurity authorities and has filed a criminal complaint with the Directorate for Investigating Organized Crime and Terrorism (DIICOT). Although Conpet has not disclosed technical details of the breach, the Qilin ransomware group has claimed responsibility, listing the operator on its dark web leak site and alleging the theft of nearly 1 TB of internal documents, including financial records and passport scans.

21. Lynx took credit for a cyberattack on Lakelands Public Health in Ontario, Canada. The incident caused some programs and services to experience temporary outages. LPH was unable to give details about the attack due to the ongoing nature of the investigation. Lynx claims to have stolen confidential information, posting sample images of alleged stolen documents on its leak site. 

22. Sapienza University of Rome, one of Europe’s largest universities with around 120,000 students, suffered a major cyberattack that forced its IT infrastructure offline for several days, disrupting access to key services such as exam booking, email and administrative systems. University officials shut down network systems as a precaution while a technical task force, supported by Italy’s National Cybersecurity Agency and law enforcement, worked to restore services from unaffected backups. It is not clear who is responsible for this attack, but reports stated that a link was sent to the university demanding a ransom and giving a 72-hour deadline to pay. 

23. In Australia, Epworth HealthCare was allegedly breached by 0APT ransomware group, who is claiming to have stolen 920 GB of data from the healthcare providers. The hackers leak post states that the stolen data includes surgical records, patient names, and billing details. The ransomware group stated that it was actively negotiating with Epworth but that the involvement of any external parties would result in an immediate sample leak to local media. However, Epworth has said that it has found no evidence of a breach. 

24. The Jefferson Blout St. Claire Mental Health Authority in Alabama notified 30,434 people of a November 2025 data breach. It is believed that the stolen data, which includes both PII and PHI, was collected by JBS Mental Health between 2011 and 2025. Medusa took credit for the breach and demanded a $200,000 ransom to destroy 168.6 GB of stolen data. To prove its claim, Medusa posted sample images of what it says are documents from JBS’s servers. 

25. DOCS Dermatology Group disclosed a security incident that was identified in late-November 2025. An investigation determined that an unauthorized third-party had access to its networks over a seven-day period, during which data was compromised. Although the data review remains ongoing, DOCS has determined that compromised data includes PII, PHI and billing information. It is not known who is responsible for this attack or how many people have been impacted. 

26. A total of 3,722 clients of the Center of Neuropsychology and Learning in Michigan were affected by a data breach following unauthorized access to one of the organization’s servers. The intrusion was discovered in November 2025, and a subsequent forensic investigation found that the server had been accessed in late October. The compromised system stored protected health information, though it did not contain highly sensitive data.

27. BridgePay Network Solutions, a major U.S. payment gateway provider, confirmed it was hit by a ransomware attack that knocked its systems offline and triggered a widespread outage affecting merchants, municipalities and other organizations that rely on its infrastructure for processing card payments. The incident, first detected on February 6, disrupted core services including APIs, virtual terminals and hosted payment pages, forcing some businesses to resort to cash-only transactions while services were unavailable. BridgePay engaged federal authorities along with external forensic and recovery teams, and said initial investigations show no payment card data was compromised despite files being encrypted. Restoration efforts are ongoing with no clear timeline for full recovery as the company works to securely bring systems back online.

28. CoinbaseCartel added Dolby Laboratories, a major US tech corporation, to its dark web blog. The ransomware group did not provide any data samples or information relating to the breach. Dolby has not commented on the alleged breach. 

29. WindRose Health Network informed certain patients of a security incident discovered in August 2025 involving unauthorized access to parts of its network. The affected systems contained both personal information and protected health information. While the specific data involved differs by individual, the organization believes that approximately 691 individuals were impacted by the breach.

30. In New Hampshire, Cottage Hospital detected unauthorized access to its computer network. A forensic investigation determined that hackers had access to a single file server in October 2025. The hospital confirmed that files had been exfiltrated in the incident. The impacted server contained current and former employees’ names, SSNs, driver’s license numbers, and potentially bank account information. 2,156 individuals were affected by the incident. 

31. IT management software company SmarterTools fell victim to a ransomware attack through an unpatched instance of its SmarterMail email server. The attack impacted the company’s office network and data center hosting quality control testing systems, SmarterTool’s portal, and its Hosted SmarterTrack network. Hackers compromised the mail server and moved laterally to the Windows servers on the data center, compromising 12 of them. Reports suggest that Warlock ransomware group was responsible for the attack. 

32. 1,800 individuals were affected by a data breach at Pit River Health Service in California. An unauthorized third-party hacked its systems and copied data. The healthcare provider confirmed that no data was altered or deleted in the attack. As a result of the incident, some patient services were delayed. It is not known who is responsible for the attack. 

33. Brush manufacturer Trisa was targeted by Lynx ransomware group, who claimed to have exfiltrated over 1 TB of information. Trisa confirmed the incident, stating that the attacker had managed to infiltrate “clearly defined and strictly limited” areas of its IT systems for a short time. According to the company, less than one percent of the company’s data was copied. The company filed a criminal complaint following the incident. 

34. Following a ransomware attack on Senegal’s Directorate of File Automation, the government department suspended operations and shut down services tied to national ID cards, immigration, and other biometric data. A senior police official stated that authorities were working to restore affected systems and that the integrity of citizen’s personal information remains intact. Green Blood Group claimed to have breach the agency and exfiltrated 139 GB of data. The group claims that stolen materials include database records, biometric information, and immigration documents. Sample files were released to support the claim. 

35. Pecan Tree Dental confirmed that it experienced a cybersecurity incident involving unauthorized access to its computer systems. A notice on the dental clinic’s website was light on detail but stated that steps were being taken to secure its systems and an investigation into the incident had been launched. Official notifications indicate that up to 13,300 individuals had their protected health information exposed in the incident. Sinobi took credit for the attack, claiming to have exfiltrated 250 GB of data. The group has since leaked the stolen information on the dark web. 

36. 83,354 individuals were affected by a data security incident involving the Counseling Center of Wayne and Holmes Counties. The incident caused widespread disruption to its IT systems. An investigation was launched, all impacted systems and accounts were removed, and credentials were reset. The forensic investigation determined that an unauthorized party had exfiltrated files including both PII and PHI. 

37. Japan Airlines announced that unauthorized access to the reservation system on its Same-Day Luggage Delivery Service may have exposed the personal information of up to 28,000 customers. A third-party accessed the system, causing the services to be rendered temporarily unavailable. The potentially compromised data involved includes personal information, and other travel related details. 

38. The Augusta Housing Authority, one of Georgia’s largest public housing agencies, was reportedly targeted in a ransomware attack linked to the Qilin group, who posted the agency on its dark web leak site alongside several other victims. Sample documents posted by the group included personal data from low-income housing applicants and city employees. The incident affected some internal systems and potentially exposed sensitive applicant and employee data, including correspondence documents, utility reimbursement reports and payroll-related files that were shared as proof of access. Local officials took affected systems offline to contain the breach, engaged cybersecurity responders, and worked to restore services, though it remains unclear whether personal information was publicly disclosed or if a ransom demand was made.

39. EyeCare Partners announced an email security incident that was identified in January 2025. An investigation into the incident confirmed that an unauthorized third-party had accessed multiple managed email accounts in late 2024 / early 2025. Data compromised in the incident includes names, contact information, health plan information, and limited clinical information. It has been reported that 17,110 individuals were affected. 

40. California-based MedRevenu Inland Physicians Hospitalist Services notified relevant authorities of a cybersecurity incident that took place in 2024. The incident caused network disruption and resulted in the exposure of personal, financial and health information. BianLian claimed responsibility for the attack shortly after it happened and later leaked the stolen information. 

41. Dutch telecommunications provider Odido suffered a significant cyberattack that exposed sensitive personal data from its customer contact system, affecting an estimated 6.2 million accounts. Hackers gained unauthorized access over the weekend of February 7–8 and downloaded names, addresses, mobile numbers, email addresses, bank account numbers, dates of birth and government ID details, though passwords, call records and billing information were not compromised. Odido promptly blocked the intrusion, engaged external cybersecurity experts and reported the incident to the Dutch Data Protection Authority while assuring that its core services remained unaffected. Following a ransom demand from the threat actors, parts of the stolen data were later published on the dark web after Odido reportedly refused to pay.

42. Atlas Air, a major U.S. cargo airline, denied that its systems were compromised after Everest ransomware group added the organization to its leak site. Everest claimed to have pilfered 1.2 TB of sensitive technical information, including Boeing aircraft data. Screenshots, that were provided as proof of claims, included aircraft maintenance and repair reports, repair and logistics documentation, and internal operational corporate files. 

43. Akira ransomware group added Canadian retailer Ardene to its leak site and alleges to have stolen 58 GB of data. Ardene notified customers of a cyber incident that impacted its internal systems in January, causing shipping delays. Ardene stated that it was not aware that any customer data had been compromised. Akira claims to have stolen financial data, customer and employee information, and other confidential information. 

44. Sakata Seed Corporation reported a cyber incident affecting servers at its US consolidated subsidiary, Sakata America Holdings Corporation Inc. The seed producer is working with U.S. law enforcement and an external cybersecurity firm to investigate the point of infiltration and potential data access. There was no significant disruption to normal business operations. Qilin has claimed responsibility for this attack. 

45. A cyberattack on Grund Nursing Home System in Iceland led to the exposure of sensitive information relating to tens of thousands of individuals. The attack caused significant disruption, affecting the operations of the entire organization. It was confirmed that stolen information spans over many years. 

46. Livingston HealthCare in Montana stated that its phone systems had been restored following a cyberattack. The attack disrupted communications and led the hospital to take some systems offline. An update in mid-February said that some network services remained limited, but that patient care continues. No ransomware group has stepped forward to take credit for this incident. 

47. Washington Hotel, a major hospitality brand in Japan, confirmed that it was the victim of a ransomware attack after unauthorized access to several of its internal servers was detected on February 13, 2026. The breach exposed various business data on the compromised systems, prompting IT teams to immediately disconnect the affected servers from the internet and activate an incident response plan involving police and external cybersecurity experts to assess the impact and contain the threat. While customer information, such as loyalty program data stored on separate third-party systems, is currently believed to be unaffected, some hotel locations experienced temporary issues with credit card terminals and ongoing investigations are underway to determine the full scope and any potential data exposure. No ransomware group has publicly claimed responsibility for the attack.

48. The Cheyenne and Arapaho Tribes of Oklahoma stated that a ransomware attack forced them to shut down tribal computer networks. Email and phone services were disrupted and some operations were temporarily suspended as systems were restored. Rhysida took credit for the attack, demanding a $680,000 ransom in exchange for the stolen data. Tribal leaders stated they would not negotiate or pay and have not confirmed whether data was actually stolen. 

49. Seagrass Boutique Hospitality Group confirmed that it fell victim to a cyberattack orchestrated by Kairos ransomware. The cybersecurity incident involved unauthorized access to part of the company’s IT network, prompting the isolated of the affected system. An investigation into the incident remains ongoing. Kairos claimed to have exfiltrated 50 GB of data from the organization, giving a seven-day deadline to meet undisclosed demands.

50. Qilin added Mount Barker Co-operative, a West Australian food co-operative, to its leak site, alongside claims that 40 GB of internal data had been exfiltrated. The stolen data allegedly contains 55,361 files, but sample documents or additional information was available on the dark web listing. The Mount Baker Co-operative has not yet publicly addressed Qilin’s claims. 

51. The ransomware group BravoX has claimed responsibility for breaching the systems of the Order of Chartered Accountants of Brittany. The group alleges it exfiltrated thousands of files totaling approximately 859GB of data. Describing the information as highly sensitive, BravoX has issued a 12-day deadline before it plans to publish the stolen data.

52. The Aeromedical Society of Australasia (ASA) was allegedly hacked by LockBit. The not-for-profit was added to the group’s leak site, and while no evidence of the hack was shared, LockBit said it would publish the stolen data on February 26. ASA are aware of the claims made by the notorious ransomware group and has made contact with relevant authorities. The organization did state that it does not hold personal information on its platforms. 

53. Major French multinational aerospace, defense, and security corporation Safran Group has denied being impacted by a cyberattack. Allegedly stolen information from its systems had inadvertently exposed by a third-party provider. Safran Group had a data set with over a million lines of data stolen and leaked by a threat actor. Stolen data included names, emails, ERP references, and other order details. The firm did not experience operation disruption or adverse security impact from the incident. 

54. OpenLoop Health is facing a potential class action over an alleged cyberattack that may have exposed the health data of 1.6 million people. Threat actors claim to have hacked OpenLoop’s computer system and to have accessed a cache of highly sensitive and private information. The lawsuit alleges OpenLoop failed to notify patients of the data breach. 

55. Issaqueena Pediatric Dentistry recently reported a hacking incident that involved unauthorized access to PII and PHI. The incident is still being investigated, so the number of affected individuals has yet to be confirmed. The healthcare provider discovered the intrusion in mid-November when ransomware was used to encrypt files. Interlock claimed responsibility for the attack. 

56. AltaMed Health Services Corporation recently alerted patients about a cybersecurity incident that took place in mid-December 2025. The incident limited access to some of its computer systems. Third-party cybersecurity experts were engaged to assist with the investigation, which remains ongoing. It has been determined that the compromised systems contained some patient information. 

57. German-based athletic apparel and footwear manufacturer Adidas started an investigation into a potential data breach of one of its independent licensing partners following claims made by a cybercriminal group. An individual claiming affiliation with the Lapsus$ Group posted on BreachForums, asserting that the group had compromised Adidas’ extranet. The post claimed that 815,000 rows of data, including personal information and technical data, had been stolen. Company representatives stated that there is no indication that internal IT systems, e-commerce platforms, or consumer data have been affected by the incident. 

58. The Shiny Hunters ransomware group has been associated with a breach involving Figure Technology Solutions, claiming that personal and contact information linked to 967,200 accounts was stolen. The intrusion reportedly involved a limited number of files taken from the company’s internal network. The exposed data is said to include more than 900,000 unique email addresses along with additional personal details. After alleging that Figure declined to pay an undisclosed ransom, the group published 2.5TB of data purportedly taken from thousands of loan applicants.

59. Advantest Corporation, a major Japanese semiconductor test equipment manufacturer, disclosed it is responding to a ransomware incident that was detected on February 15, 2026, after unusual activity was identified within its IT environment. The company immediately activated its incident response plan, isolated affected systems and brought in third-party cybersecurity experts to investigate and contain the breach. Preliminary findings suggest an unauthorized third-party may have gained access to parts of Advantest’s network and deployed ransomware, though no specific ransomware group has taken credit and there is no confirmed evidence of data theft at this stage. Advantest has stated that if customer or employee data is found to have been compromised, affected individuals will be notified directly, and it continues to investigate the full scope of the incident while reinforcing security measures.

60. North East Medical Services (NEMS) notified 91,513 patients of an October 2025 data breach following a cyberattack on its third-party software provider, UnitedLayer. The impacted data includes Social Security numbers and medical information. RansomHouse claimed responsibility for the attack, claiming to have encrypted UnitedLayer’s data and providing evidence packs to prove its claims. UnitedLayer has not confirmed the ransomware group’s claim. 

61. Finance platform youX confirmed its systems were accessed by an unauthorized third-party during a cybersecurity incident. A hacker has claimed to have stolen information from 444,528 Australian borrowers including addresses, emails, phone numbers, government IDs and credit information. Another 629,597 loan applications, 229,226 driver’s licence numbers and 607,522 residential addresses were allegedly stolen, along with banking records, customer and staff details from 797 broker organizations.

62. ShinyHunters has claimed responsibility for a major breach of CarGurus, the U.S.-based online automotive marketplace, and published a dataset containing personal information tied to more than 1.7 million accounts after an apparent failed extortion attempt. The leaked archive, roughly 6.1 GB in size, is reported to include names, email addresses, phone numbers, physical and IP addresses, user account IDs, finance pre-qualification application data and dealer subscription information. CarGurus has not publicly confirmed the incident, but the breach has been added to Have I Been Pwned’s database.

63. Catalyst RCM, a U.S.-based medical revenue cycle management provider, confirmed that a ransomware-linked data breach first detected in November 2025 has impacted sensitive information it stored on behalf of healthcare clients. Between November 8 and November 9, 2025, an unauthorized actor used compromised credentials to access a secure file management system and copied data without permission. The compromised information may include names, dates of birth, payment card details, protected health information and insurance data for patients of clients such as Vikor Scientific (now Vanta Diagnostics), KorPath and KorGene, with regulatory filings indicating approximately 139,964 individuals were affected. The ransomware group Everest claimed responsibility on a dark web leak site.

64. WIRX Pharmacy has notified 20,104 individuals of a December 2025 cybersecurity incident that may have resulted in unauthorized access to protected health information. Upon discovering suspicious activity, systems were secured and an investigation was launched. A review of exposed files confirmed that personal and protected health information were present in the files on the compromised parts of its network. The affected data varies from individual to individual. 

65. In California, Emanuel Medical Center started notifying current and former patients about a May 2025 security incident. Cybersecurity experts confirmed unauthorized access to the healthcare provider’s network in May, and that files containing personal and protected health information were present on affected systems. Data compromised in the incident varies from individual to individual. 

66. Choice Hotels International disclosed that on January 14, 2026, a threat actor used a social engineering attack to gain unauthorized access to an internal application containing records related to franchisees and franchise applicants, despite multifactor authentication being in place. Choice detected the activity and shut it down in less than an hour, then determined through investigation that the accessed records included personal information such as names, contact details, Social Security numbers and dates of birth. The breach appears to be limited to franchisees and applicants rather than hotel guests. Regulatory notices have been filed in multiple U.S. states, though an exact total of impacted individuals has not been publicly disclosed. No ransomware group has claimed responsibility for the incident.

67. In Northern Ireland, Grange Dental Care fell victim to a cyberattack that resulted in fraudulent emails being sent from the practice’s system. The issue was identified quickly, and the practice’s IT provider was contacted immediately to prevent further damage. Certain information was accessed during the attack, but it appears that no sensitive data or personal information was compromised. Investigations remain ongoing.  

68. The University of Mississippi Medical Center (UMMC) confirmed that it was hit by a ransomware attack that disrupted its IT network, taking down key systems including its Epic electronic medical records platform and forcing it to shut down clinics statewide and cancel elective procedures while recovery efforts continued. Officials worked with federal agencies including the FBI, CISA and DHS to respond to the incident and restore services. Hospital inpatient and emergency services remained operational using downtime procedures, but phone, email and electronic health systems were offline for days as teams assessed the damage, communicated with the attackers and rebuilt secure infrastructure. UMMC has since begun reopening clinics and rescheduling appointments more than a week after the attack, though the full scope of the breach and whether patient data was accessed has not been publicly disclosed.

69. The Grand Hotel in Taipei issued a warning to customers of a possible data breach after discovering unauthorized access to its information systems. Upon discovering the attack, the hotel disconnected affected systems, conducted a security review and notified relevant authorities to investigate the incident. The Gentlemen ransomware group claimed responsibility for the attack.

70. Wynn Resorts, the luxury casino and hotel operator, was targeted by the ShinyHunters cyber extortion group, which claimed to have stolen more than 800,000 employee records including sensitive personal information. ShinyHunters listed Wynn on its data leak site and demanded 22.34 BTC (about $1.5 million) to delete the data and prevent its public release, setting a deadline for the company to engage with its demands. The stolen records are reported to contain details such as names, Social Security numbers, phone numbers and other PII, though Wynn Resorts has stated its guest operations and physical properties were not impacted. ShinyHunters later removed Wynn’s listing from its leak site, which in some cases indicates negotiations or disputed claims.

71. 56,954 patients have been impacted by a cybersecurity incident involving Greater Pittsburgh Orthopedic Associates. Unauthorized third-party access to its IT network was discovered In August 2025, prompting an investigation into the incident. The forensic investigation determined that personal and health information was compromised during the attack. RansomHouse claimed responsibility for the attack. 

72. Air Côte d’Ivoire, the flag carrier airline of Côte d’Ivoire, confirmed it was the victim of a cyberattack after parts of its information systems were breached on February 8. The airline activated its business continuity plans to ensure flights and operations continued normally while technical teams and national cybersecurity authorities investigated the incident. INC ransomware gang claimed responsibility, asserting it had stolen around 208 GB of data and set a ransom deadline, though the airline has not confirmed the exact volume or nature of the compromised information.

73. The French Ministry of Finance disclosed a cybersecurity incident that exposed data associated with approximately 1.2 million user accounts after a threat actor accessed the FICOBA database. An internal investigation determined that a hacker used stolen credentials to access the platform, which records all bank accounts opened by French financial institutions. Information including bank account details, account holder identities, physical addresses, and in some cases, taxpayer identification numbers, may have been compromised. At this time, those responsible for this incident have not been publicly identified.

74. In Thailand, the Sasin School of Management has launched an investigation into a recent cybersecurity incident impacting portion of its IT infrastructure. After detecting suspicious activity, the school took immediate steps to secure its systems and remove unauthorized access. The investigation remains ongoing, and at this stage there is no indication that critical data systems were breached. The Gentlemen ransomware group has claimed responsibility for the incident.

75. Qilin claimed responsibility for a cyberattack on the Transport Workers Union (TWU) Local 100, which represents tens of thousands of New York City transit workers and retirees, including subway, bus and ferry staff. Qilin added the union to its dark web leak site, alleging it had stolen 551 GB of sensitive information during the recent attack. While Qilin did not say how much information was taken or what files were involved, TWU Local 100 disclosed on its website its collection and retention of employees’ contact details, salary information, job titles, medical and insurance benefits, and retirement and pension planning information had been impacted.

76. UFP Technologies, a U.S.-based medical device and industrial component manufacturer, disclosed it was the victim of a cyberattack that disrupted parts of its IT environment and prompted the company to take affected systems offline as part of its response. The incident resulted in the encryption of certain data and temporarily impacted business operations while the organization worked with external cybersecurity experts to investigate and restore systems. UFP notified regulators and began reaching out to potentially affected customers, vendors and employees as part of the remediation process. No known ransomware group has claimed responsibility for this attack. 

77. INC claimed responsibility for a cyberattack which caused disruption to the City of Cocoa in Florida. The city was forced to navigate a significant number of municipal IT issued that severely impacted local government operations. In response to the system failures, the City Council issued an emergency declaration and expedited the allocated of resources for system restoration and forensic investigation. INC added a number of leak documents to its leak site to substantiate the claims but did not give information on the amount of data allegedly exfiltrated. 

78. In mid-February, the Qilin ransomware group listed Western Australia-based electronics retailer Esperance Communications on its dark web leak site, alleging it had stolen 14GB of data comprising more than 16,000 files. However, the group did not publish any screenshots or supporting documents to substantiate its claims.

79. Pathstone Family Office, a U.S.-based financial services firm, confirmed that it suffered a data breach after the ShinyHunters cybercriminal group published sensitive information on its leak site. According to the threat actor, the stolen dataset, consisting of 641,000 records, included financial documents and personally identifiable information tied to clients and employees, and was posted after the company reportedly declined to meet an unspecified ransom demand. While Pathstone acknowledged the incident and has been notifying affected individuals, it is working with cybersecurity specialists to assess the full scope of the exposure.

80. Hong Kong’s popular Ngong Ping 360 cable car attraction disclosed that it was the victim of a ransomware attack which resulted in the theft of personal data from its systems. The breach exposed information belonging to visitors who had purchased tickets online, including names, phone numbers, email addresses and payment card details, prompting the operator to report the incident to the Hong Kong Privacy Commissioner for Personal Data and offer support to those affected. Local authorities and cybersecurity experts were engaged to investigate the incident and strengthen defenses against future attacks.

81. Malaysia’s flag carrier Malaysia Airlines was listed by the Qilin ransomware group on its dark web leak site as a victim of a cyberattack, with the threat actor claiming to have exfiltrated sensitive data and threatening its public release unless negotiations take place. As of now, no proof or samples of stolen information have been published, and Malaysia Airlines has not officially confirmed the scope of the breach or what specific data, if any, was accessed.

82. 2,500 individuals have recently been notified of a ransomware attack on Apex Spine & Neurosurgery, which led to the compromise of their electronic protected health information. During the December attack, threat actors accessed its network and used ransomware to encrypt files. A forensic investigation confirmed that files were also accessed and copied during the incident. PII, PHI and some financial information was involved in the attack. Interlock ransomware group claimed responsibility for the attack, allegedly stealing 20 GB of data. Interlock proceeded to leak the stolen information as the ransom was not paid.