The State of Ransomware: May 2026

May saw 95 publicly disclosed ransomware attacks worldwide, affecting organizations across 17 countries. The United States remained the primary target with 54 attacks, while Australia experienced a notable uptick with 18 incidents. Healthcare was the hardest-hit sector, accounting for 28 attacks and continuing to be a prime target for ransomware groups. Qilin led all ransomware groups with 11 claimed victims, and with 37 different groups naming victims during the month, the ransomware ecosystem showed no signs of consolidation or slowing down.

Find out who made ransomware headlines in May:

1. Good Samaritan Health Center in Georgia has notified approximately 10,000 individuals following a ransomware attack on an internal server in February 2026. The organization isolated the affected server and successfully restored it from backups. While there is no confirmation that data was accessed or exfiltrated, the healthcare provider stated it could not rule out that possibility. Information stored on the compromised server included individuals’ names, dates of birth, ZIP codes, and limited clinical data.

2. Liberty Mutual is investigating claims by Everest ransomware group that it stole more than 108 GB of data containing policyholder information and insurance-related records. The threat actor alleged that the dataset includes customer names, addresses, policy numbers, and financial and insurance details, and published samples after a deadline for negotiations expired. Liberty Mutual stated that its initial investigation found no evidence of a compromise of its own systems and indicated the incident may be linked to a third-party vendor. The company continues to assess the scope and impact of the alleged breach.

3. Sydney-based property investment and management consultancy Prime Properties was listed as a victim by the emerging M3rx ransomware group. The threat actors claim to have exfiltrated approximately 100 GB of data comprising more than 81,000 files, although the company has not publicly confirmed the breach or the nature of any compromised information. According to reports, no ransom demand, payment deadline, or evidence of the alleged data theft has been disclosed.

4. The Standard-Examiner, a newspaper serving northern Utah, was listed as a victim by Qilin following reports of significant production difficulties that disrupted print deliveries in April. While Qilin claimed responsibility for a cyberattack and alleged it had compromised the organization, the newspaper has not publicly confirmed a ransomware incident, data theft, or any connection between the operational disruptions and the threat actor’s claim. As of the latest reports, no evidence of data exfiltration or details regarding potentially compromised information have been disclosed, and the incident remains unverified.

5. Hungarian media conglomerate Mediaworks confirmed it is investigating a cyber incident after WorldLeaks claimed to have stolen and published approximately 8.5 TB of company data. According to reports, the leaked files allegedly include payroll records, contracts, financial statements, and internal communications. Mediaworks acknowledged that a significant volume of data may have been obtained by unauthorized parties but has not verified the authenticity of all leaked materials. 

6. Hanover County Public Schools (HCPS) in Virginia disclosed that a malicious actor gained access to its network in March 2026 and attempted to deploy ransomware before being detected and removed. An investigation found that the attacker may have accessed sensitive personal information belonging to students, staff, and other individuals, including names, SSNs, financial account details, and government-issued identification information. While HCPS stated it has found no evidence that the information has been misused, the school district notified potentially affected individuals out of an abundance of caution and continues to work with cybersecurity experts and law enforcement to assess the full impact of the incident.

7. Instructure’s Canvas learning management platform suffered a major cyberattack, with ShinyHunters claiming to have stolen 3.65 TB of data affecting approximately 275 million students, teachers, and staff across nearly 9,000 educational institutions worldwide. The attackers alleged they accessed names, email addresses, student ID numbers, and private user messages, though Instructure stated there was no evidence that passwords, dates of birth, government identifiers, or financial information were compromised. The incident disrupted coursework and final exams at schools and universities globally, and Instructure later confirmed it had paid a ransom in an effort to prevent the stolen data from being leaked. While the company did not disclose the amount paid, cybersecurity experts have speculated that the attackers may have initially demanded as much as $10 million, although neither the ransom demand nor the final payment amount has been publicly confirmed.

8. Vergennes-based Basin Harbor Resort disclosed that it was impacted by a ransomware attack in October 2025 after threat actors gained unauthorized access to its computer systems and exfiltrated sensitive data. The compromised information included SSNs, government-issued identification numbers, financial account details, and payment card information. The incident affected approximately 3,150 individuals. In November 2025, Akira ransomware group claimed responsibility for the attack.

9. Australian luxury jewelry retailer Gregory Jewellers confirmed it was investigating a cyber incident after Kairos ransomware group claimed to have breached the company and stolen approximately 574 GB of data. The ransomware group listed the retailer on its dark web leak site and alleged they had exfiltrated a significant volume of internal information, although they did not publicly disclose the specific contents of the dataset. Gregory Jewellers acknowledged the incident and confirmed it was conducting an investigation to determine the validity of the claims and assess any potential impact. At the time of reporting, the company had not confirmed whether customer or employee information had been compromised, and the full scope of the alleged breach remained under review.

10. New Zealand electrical contractor McKay confirmed it was the victim of a cyberattack in January 2026 after being listed on the dark web leak site of the emerging Mnt6 ransomware group. The company said an unauthorized party gained access to a single internal device, prompting it to activate its incident response plan and quickly isolate and contain the breach. McKay stated that its core IT systems remained secure and operational throughout the incident, a finding that was independently verified by a third-party cybersecurity specialist. The company notified affected customers and relevant authorities, including New Zealand’s Office of the Privacy Commissioner and National Cyber Security Centre, while also obtaining a High Court injunction to restrict the disclosure of any potentially compromised data.

11. Jamaican conglomerate RJR Communications Group disclosed that it was targeted in a cyberattack that disrupted some of its systems and operations. The company said it immediately activated its incident response protocols, engaged cybersecurity specialists, and implemented containment measures to investigate and mitigate the incident. Shortly after the attack, LockBit claimed responsibility, listing RJR on its dark web leak site and issuing a 15-day deadline for the company to meet undisclosed demands. While RJR did not confirm any connection to LockBit’s claims or disclose whether data was accessed or stolen, it stated that business continuity plans were activated to minimize operational impact. The organization continues to assess the scope of the incident and monitor its systems as part of an ongoing investigation.

12. GS1 South Africa, the organization responsible for issuing and managing product barcodes across the country, denied claims by Stormous that it had suffered a data breach. Stormous alleged it had gained access to the organization’s systems and exfiltrated sensitive customer, employee, financial, and operational data, including information stored on SharePoint and SQL servers. However, GS1 South Africa stated that while it detected and contained an attempted malicious intrusion, its investigation found no evidence of unauthorized access, data exfiltration, ransomware deployment, or operational disruption. The organization said its security controls functioned as intended and described the threat actor’s claims as false.

13. Zona Ovest Torino, a public consortium serving several municipalities in the Turin metropolitan area, was reportedly targeted in a ransomware attack that disrupted access to its online services. According to reports, attackers encrypted systems and left a ransom note demanding payment within approximately two days, threatening that affected data could become permanently inaccessible if the deadline was not met. SafePay ransomware group later claimed responsibility for the attack and threatened to publish allegedly stolen information unless the organization entered negotiations. At the time of writing, officials had not confirmed whether data was exfiltrated, and the full scope of the incident remained under investigation.

14. German recycling and circular economy services provider Interzero disclosed that it was investigating a suspected IT security incident after a ransomware group publicly claimed to have breached the company and obtained corporate data. Interzero stated that it immediately engaged internal security teams, external forensic specialists, and relevant authorities to assess the situation and secure its systems. The company emphasized that it had not verified the attackers’ claims and had found no confirmed evidence that its systems were compromised or that personal or business data had been exfiltrated. Shortly before the disclosure, FulcrumSec claimed responsibility for the alleged breach, listing Interzero on its leak site and threatening to publish data unless the company entered negotiations. Interzero reported that its services and operational processes remained unaffected while the investigation continued.

15. Global commercial real estate services firm Cushman & Wakefield confirmed a limited cybersecurity incident stemming from a vishing attack after being listed by ShinyHunters. ShinyHunters claimed to have stolen more than 500,000 Salesforce records containing personally identifiable information and internal corporate data and gave the company a three-day deadline to respond to undisclosed ransom demands. Cushman & Wakefield acknowledged the incident, stating that it activated its response protocols, contained the unauthorized activity, and engaged third-party cybersecurity experts to support the investigation. While the company confirmed the breach originated from a social engineering attack, it did not verify the threat actors’ claims regarding the volume or nature of the allegedly stolen data and stated that its systems and operations remained fully functional throughout the response effort.

16. Australian home builder Champion Homes confirmed that customer information was compromised in a cyber incident after DragonForce ransomware group claimed responsibility for the attack. The company disclosed that an unauthorized third party accessed and exfiltrated data from its systems, with the affected information including customer names, contact details, identification documents, and other records provided during the home-building process. Champion Homes stated that it had contained the incident, engaged cybersecurity specialists, and notified impacted individuals. Meanwhile, DragonForce listed the company on its dark web leak site, claiming to have stolen 44 GB of corporate and customer data and threatening to publish the information if its demands were not met.

17. The City Council of Valdemoro, Spain, experienced a cyberattack that affected several municipal servers and temporarily disrupted access to public services, including the local website and internal administrative systems. Authorities activated cybersecurity protocols, isolated affected infrastructure, and launched an investigation with support from specialized technicians and law enforcement. While officials worked to restore normal operations, they stated there was no immediate evidence that citizen data had been compromised. Shortly after the incident, Kairos ransomware group claimed responsibility, alleging it had breached the municipality’s systems and obtained sensitive data, though these claims had not been independently verified at the time of reporting.

18. Anubis ransomware group claimed responsibility for a cyberattack against Colorado Dental Wellness Center, alleging it exfiltrated more than 115,000 files totaling approximately 86 GB of data before encrypting the organization’s servers. According to the threat actors, the stolen information includes sensitive patient and employee records, such as medical data, insurance documents, identification records, and other personally identifiable information. Anubis further claimed it gained access through the organization’s VPN, demanded an initial ransom of $270,000 that was later reduced to $200,000 during negotiations, and ultimately published the data after talks broke down. As of the latest reports, Colorado Dental Wellness Center had not publicly confirmed the attack or verified the group’s claims.

19. Healthcare software provider RXNT disclosed a data breach after an unauthorized actor gained access to one of its systems between March 1 and March 3, 2026, and obtained copies of patient data associated with multiple healthcare clients. According to the company, the compromised information included patient names, dates of birth, addresses, contact details, and patient identification numbers. RXNT notified affected customers in May and offered to manage breach notification requirements on their behalf while investigations continued. Subsequent reports revealed that the incident also exposed prescription information belonging to members of the U.S. Congress through the Office of the Attending Physician, including names, addresses, dates of birth, physician names, pharmacy information, and prescription records. The total number of affected individuals has not yet been publicly disclosed.

20. Qilin claimed responsibility for a cyberattack against Sysco, the world’s largest food distributor, listing the company on its dark web leak site and setting a May 12, 2026, deadline for undisclosed ransom negotiations. As proof of access, the ransomware group published screenshots of alleged internal documents and company data, claiming they had compromised Sysco’s network. While Qilin threatened to release additional information if its demands were not met, Sysco had not publicly confirmed a breach or disclosed any operational impact at the time of reporting.

21. Akira ransomware group claimed responsibility for a cyberattack against Switzerland’s Réseau Radiologique Romand (Groupe 3R), alleging it had stolen 48 GB of data containing sensitive patient information, employee identification documents, payment details, and corporate records. The attack occurred on April 30, 2026, and disrupted IT systems across the organization’s network of 20 medical imaging centers, forcing some patient examinations to be postponed or redirected to other facilities. Groupe 3R confirmed it had suffered a ransomware attack and reported reduced system availability but stated it was unable to determine whether any data had been accessed or exfiltrated. The organization notified Swiss cybersecurity authorities, filed a criminal complaint, and confirmed that it would not pay a ransom.

22. Energy Action is investigating claims that it was the victim of a cyberattack after SafePay listed the Australian energy management firm on its dark web leak site. According to the threat actors, approximately 470 GB of data was stolen during the alleged breach, and screenshots of purported internal documents were published as proof of access. The company acknowledged awareness of the claims and engaged cybersecurity specialists to determine whether its systems had been compromised. Energy Action had not confirmed any unauthorized access or data theft, and the full scope of the alleged incident remains under investigation.

23. Horizon Media confirmed it notified an undisclosed number of current and former employees about a January 2026 data breach after discovering that an unauthorized actor had accessed and exfiltrated sensitive personal information. The compromised data included names and SSNs, prompting the company to offer identity protection and credit monitoring services to affected individuals. On the same day the breach was disclosed, Chaos ransomware group claimed responsibility, alleging it had stolen 3.2 TB of data from the advertising giant and threatening to publish the information within 48 hours if its demands were not met. While Horizon Media acknowledged the breach and confirmed that employee information was compromised, it did not publicly verify the threat actor’s claims regarding the volume of data allegedly stolen.

24. The Académie de Montpellier, one of France’s largest regional education authorities, disclosed a cyberattack that resulted in the exposure of sensitive internal documents. According to reports, the leaked information included administrative records, internal correspondence, financial documents, and files containing personal data relating to employees and educational operations. MedusaLocker ransomware group claimed responsibility for the attack, alleging it had exfiltrated data from the organization and later published samples of the stolen files online. French authorities launched an investigation into the incident and worked to assess the scope of the exposure, while the academy implemented measures to secure affected systems and limit any further impact.

25. Empire Express notified 5,414 individuals that their personal information was compromised in a data breach stemming from a cybersecurity incident discovered in May 2025. According to the company, an unauthorized actor gained access to parts of its network between May 7 and May 11, 2025, and may have accessed files containing sensitive information. The exposed data varied by individual but included names, SSNs, driver’s license numbers, financial account information, and medical information. Following the incident, Empire Express launched an investigation, notified law enforcement, implemented additional security measures, and offered affected individuals complimentary credit monitoring and identity protection services.

26. A ransomware attack disrupted portions of Accretech America’s IT environment on May 4, 2026, prompting the semiconductor equipment manufacturer to disconnect affected systems and engage external cybersecurity specialists to investigate the incident. The company stated that its assessment was ongoing and that it had not yet determined whether any customer or employee information had been compromised. Shortly after the disclosure, AiLock ransomware group claimed responsibility for the attack, alleging it had obtained sensitive corporate data and threatening to publish the information unless its demands were met. Accretech continues to investigate the scope and impact of the incident while working to restore affected services.

27. Western Orthopaedics disclosed a data breach affecting 113,330 individuals after discovering unauthorized access to its network between September 17 and September 25, 2025. An investigation determined that files containing personal, financial, and protected health information may have been viewed or acquired, including names, addresses, phone numbers, SSNs, dates of birth, financial account information, health insurance details, medical provider information, dates of service, and billing records. Following the incident, the Colorado-based healthcare provider implemented additional security measures and offered affected individuals complimentary credit monitoring and identity theft protection services. PEAR later claimed responsibility for the attack and reportedly published the stolen data after ransom negotiations failed.

28. Community Health Systems disclosed a data security incident after detecting suspicious activity within its network in February. An investigation conducted with the assistance of third-party cybersecurity experts confirmed that an unauthorized party accessed portions of the network containing patient information. The compromised data varied by individual but may have included names, addresses, email addresses, phone numbers, dates of birth, SSNs, financial account information, driver’s license numbers, medical record numbers, treatment and diagnosis information, prescription details, health insurance information, Medicare and Medicaid identifiers, and medical billing records. The California healthcare provider stated that it is reviewing and enhancing its data protection policies and procedures, though the total number of affected individuals has not yet been disclosed.

29. Integrated Pain Associates is continuing to investigate the full scope of a data security incident after confirming that an unauthorized party accessed its network in February. The Texas-based pain management provider said patient information may have been accessed or acquired, including names, addresses, dates of birth, driver’s license numbers, SSNs, health insurance information, diagnosis and treatment details, medication information, provider names, and financial account information. While the review of affected files remains ongoing, the organization has implemented additional security measures and is offering complimentary credit monitoring and identity theft protection services to impacted individuals. The total number of affected individuals had not been reported.

30. Patients of Tri-Cities Gastroenterology began receiving breach notification letters after the Tennessee-based healthcare provider determined that files had been exfiltrated from its network during a cyberattack in December 2025. An investigation found that the stolen files contained personal and medical information, including names, SSNs, dates of birth, addresses, email addresses, telephone numbers, gender, and medical record numbers. Insomnia claimed responsibility for the attack shortly after the incident and later published the stolen data on its leak site, indicating that a ransom demand had not been met.

31. Qilin ransomware group claimed to have breached Spanish supermarket chain Ahorramas and published samples of allegedly stolen company data on its leak site. According to the group, the exposed information included employee and customer identification documents, financial records, tax information, payroll data, internal contracts, and store plans. The publication of the files suggests that data may have been exfiltrated from the company, although Ahorramas did not publicly confirm the breach or verify the authenticity of the leaked information. The full scope and impact of the alleged incident remained unclear.

32. Australian automotive parts importer Strategic Imports is investigating claims of a cyberattack after being listed on the dark web leak site of the Bavacai. The threat actors allege they stole data from the company and threatened to publish the information online. While Bavacai did not disclose how the alleged breach occurred, it published a file tree that it claimed showed the contents of the stolen data, including folders purportedly containing sensitive business and personal information relating to employees and customers. Strategic Imports acknowledged the claims and said it was investigating the matter but had not confirmed whether its systems had been compromised or whether any data had been accessed.

33. Hematology Oncology Consultants began notifying affected individuals following a September 2025 security incident that resulted in the likely exfiltration of personal and protected health information from its network. An investigation determined that the compromised data included names, medical records, health insurance information, and SSNs. The Michigan-based healthcare provider stated that it took immediate steps to secure its systems, launched a forensic investigation, and reported the incident to regulators. While the organization did not describe the event as a ransomware attack, Rhysida ransomware group claimed responsibility, alleging it had stolen the data and threatening to sell or publish the information if a ransom was not paid. The group later claimed to have sold a portion of the stolen data and leaked approximately 40% of the files allegedly exfiltrated during the attack. The total number of affected individuals has not yet been disclosed.

34. Trellix disclosed that an unauthorized party had gained access to a portion of its source code repository, prompting the cybersecurity firm to launch an investigation with the assistance of forensic experts and notify law enforcement. The company stated that there was no evidence the incident had affected its source code release process, customer products, or service delivery. Shortly after the disclosure, RansomHouse claimed responsibility for the intrusion and published screenshots that allegedly showed access to internal Trellix systems and management platforms. While the threat actors listed Trellix on their leak site, they did not disclose the type or volume of data allegedly obtained. Trellix said it continues to investigate the scope of the incident and assess the validity of the group’s claims.

35. A security incident affecting a limited number of customer accounts prompted Egnyte to launch an investigation and notify impacted users. The company determined that the unauthorized access resulted from credential-stuffing attacks using usernames and passwords previously exposed in breaches of other online services, rather than a compromise of Egnyte’s own infrastructure. INC extortion group claimed responsibility and published what it described as proof of access, alleging it had obtained data from affected accounts. Egnyte said its investigation found no evidence that its core platform or systems had been breached and maintained that the incident was limited in scope.

36. Serveis Mèdics Penedès, a healthcare provider in Spain, became the target of a SafePay ransomware attack, after the group claimed to have stolen 3 GB of data from the organization and threatened to publish it unless a ransom was paid. According to reports, the threat actors issued a 48-hour deadline and posted samples of the allegedly compromised information on their leak site as proof of their claims. The exposed files reportedly included personal, administrative, and healthcare-related documents. Serveis Mèdics Penedès has not publicly confirmed the breach or verified the authenticity of the leaked data.

37. Genesis claimed responsibility for a March 2026 data breach at CarePoint Health, an Ontario medical clinic, alleging it stole 70 GB of medical, operational, and financial data. CarePoint previously confirmed that the breach exposed client information, including names, medical information, addresses, phone numbers, and dates of birth. The clinic said it first learned of the incident on March 19 after being contacted by a threat actor claiming unauthorized access to its network and data and later confirmed that data had been stolen. CarePoint has not acknowledged Genesis’ claim, and the number of affected individuals, attack method, ransom demand, and whether any payment was made remain unknown.

38. Australian toy distributor KB Toys was listed on the dark web leak site of M3RX ransomware group, which claimed to have stolen 36,840 files totaling approximately 140 GB of data from the company. To support its allegations, M3rx published a text file containing what it said was a complete inventory of the exfiltrated documents, including invoices, sales records, and other business files dated as recently as 2026. The ransomware group did not disclose any ransom demand or deadline for the release of the data. KB Toys has not publicly responded to the claims or confirmed whether a breach had occurred.

39. American Lending Center confirmed it notified 123,158 individuals about a data breach stemming from a July 2025 ransomware attack. The California-based small business lender said threat actors compromised its internal network, deployed ransomware, and accessed files containing sensitive personal information, including names, SSNs, and dates of birth. The company stated that it has no evidence the exposed information has been misused and is offering affected individuals complimentary credit monitoring and up to $1 million in identity theft insurance. No ransomware group had publicly claimed responsibility for the attack at the time of reporting.

40. West Pharmaceutical Services disclosed that it was responding to a ransomware attack that disrupted parts of its IT infrastructure and affected certain operational activities. The company said it detected unauthorized activity on its network, activated incident response protocols, and took systems offline to contain the incident. While the organization did not disclose whether any data had been accessed or stolen, it warned that the attack had impacted some manufacturing, shipping, and administrative operations. The company stated that it was working with external cybersecurity experts and law enforcement to investigate the incident and restore affected systems, while implementing contingency measures to minimize disruption to customers.

41. Australian environmental and geotechnical consultancy Earth Systems was listed on the dark web leak site of INC, which claimed to have breached the company and stolen internal data. As evidence of its claims, the threat actor published screenshots of documents that appeared to include project information, corporate records, and employee-related files. INC did not disclose the volume of data allegedly obtained or provide details on how the breach occurred. Earth Systems acknowledged the claims and confirmed it was investigating the incident but has not verified the authenticity of the leaked material or confirmed that any data had been compromised.

42. Dutch healthcare laboratory Clinical Diagnostics has been criticized by regulators following a July 2025 ransomware attack that exposed the medical records of more than 850,000 women who participated in cervical cancer screening programs. The Dutch Health and Youth Care Inspectorate concluded that the laboratory failed to meet mandatory cybersecurity requirements, including conducting an independent security review and performing adequate risk assessments to identify and mitigate threats to sensitive data. The attack was carried out by Nova ransomware group, which reportedly demanded approximately €1.1 million in cryptocurrency and published samples of the stolen data despite receiving a ransom payment. The incident remains under investigation, with large-scale compensation claims reportedly being prepared on behalf of affected individuals.

43. Scope Systems confirmed it suffered a cyber incident that disrupted customer access to its Pronto Xi hosted environment, support portal, and other cloud-hosted services. The company engaged external forensic specialists to investigate the incident and restore affected systems, while keeping customers updated on recovery efforts. By May 9, Scope Systems said it had found no evidence of data loss or data exfiltration and had begun restoring services from backups. In a subsequent update, the company reported that 53% of its servers had been restored and stated that it would share further details on the nature of the incident and how the threat actor gained access once the investigation is complete.

44. BWH Hotels disclosed a data breach after discovering that a threat actor had gained unauthorized access to a web application used to store guest reservation information. An investigation found that the attacker accessed the application on October 14, 2025, and continued to exfiltrate data until the intrusion was detected on April 22, 2026. The compromised information included guest names, email addresses, phone numbers, home addresses, reservation numbers, stay dates, and special requests. The hospitality giant said it immediately took the affected application offline, revoked the unauthorized access, and engaged external cybersecurity experts to assist with its response. The company has not disclosed how many guests were affected or whether the attacker demanded a ransom.

45. Mt. Spokane Pediatrics notified 32,021 individuals that their personal and protected health information was compromised in a January 2026 cyberattack. The Washington-based pediatric practice determined that a threat actor had exfiltrated files containing sensitive data, including names, dates of birth, SSNs, diagnoses, treatment information, medical record numbers, health plan beneficiary numbers, patient numbers, and dates of service. The organization stated that it is unaware of any actual or attempted misuse of the stolen information and is offering affected individuals complimentary credit monitoring services. While the breach notice did not describe the incident as a ransomware attack, LockBit ransomware group claimed responsibility and threatened to publish the stolen data within 20 days if its demands were not met.

46. Foxconn reportedly suffered a major ransomware attack claimed by the Nitrogen ransomware group, which alleged it stole nearly 8 TB of confidential data from the electronics manufacturer, including files linked to Apple and Nvidia. The threat actors claimed the stolen dataset contained millions of sensitive files tied to Foxconn’s business operations, though the exact nature of the data has not been officially confirmed. Reports indicate the incident affected facilities and operations across several U.S. states and parts of Mexico, including Wisconsin, Ohio, Texas, Virginia, and Indiana. Foxconn’s incident response teams reportedly moved quickly to contain the attack and restore systems, limiting prolonged disruption, but the potential exposure of large volumes of corporate and client-related data remains a significant concern.

47. Murray County, Georgia, was forced to close several government offices and suspend a range of public services following a cyberattack that disrupted county computer systems. The incident affected operations at the Tax Commissioner’s Office, Probate Court, and other departments, leaving residents unable to access services such as vehicle tag renewals and property tax transactions. County officials said they were working with cybersecurity specialists to investigate the incident and restore affected systems but did not disclose the nature of the attack or whether any data had been compromised. No ransomware group has claimed responsibility for the disruption.

48. Verber Dental Group disclosed a data breach after detecting suspicious activity within its network on January 27, 2026. An investigation determined that an unauthorized party had access to the Pennsylvania-based dental provider’s systems between January 26 and January 27 and may have accessed patient information, including names, dates of birth, SSNs, driver’s license or state identification numbers, medical records, and health insurance information. The total number of affected individuals has not yet been disclosed.

49. Preakness Healthcare Center disclosed a data security incident after detecting suspicious activity within its network on March 4, 2026. A subsequent investigation determined that an unauthorized third party had access to portions of the skilled nursing facility’s network between February 24 and March 4, during which time resident information may have been viewed or acquired. The potentially exposed data included residents’ names, demographic information, and limited clinical information for individuals admitted on or after January 1, 2019. The total number of affected individuals has not been publicly disclosed.

50. Northwoods Surgery Center notified 5,385 individuals after an investigation confirmed unauthorized access to its network between July 11 and September 8, 2025. The Virginia, Minnesota-based provider said files containing patient information may have been accessed or acquired, including names, addresses, dates of birth, health insurance details, medical record numbers, provider names, dates of service, medication information, diagnosis and treatment details, and billing or claims information. 

51. Hospitality technology provider Bluize was listed on Qilin’s dark web leak site, alongside claims that the group breached the company. However, the threat actors did not provide any details about the alleged incident, and the listing did not include sample data or evidence of compromise. Bluize, which provides IT and venue management solutions to pubs, bars, restaurants, and gaming venues, had not publicly commented on the claim at the time of reporting. The nature and scope of the alleged breach remain unclear.

52. Fluke Corporation confirmed it notified 18,517 individuals about a data breach after a threat actor exploited a vulnerability in a third-party application used by the company. According to Fluke, the attacker had access to a limited segment of its network between August 10 and October 7, 2025, exposing information that included SSNs, dates of birth, and an indicator of whether an individual had self-identified as having a disability. Cl0p ransomware group later claimed responsibility for the breach and listed Fluke on its data leak site, although the company has not publicly acknowledged the group’s claims. 

53. The Goodstone Group confirmed it was responding to a cybersecurity incident after the newly emerged CMD Organization ransomware group listed the Tasmanian hospitality provider on its dark web leak site. The threat actors claimed to have stolen company data and published several documents as evidence, including employee passport scans, a confidentiality agreement, and bank reconciliation details from one of the group’s hotels. The data was reportedly being offered for sale to the highest bidder, with an asking price of 9 BTC, approximately $1 million. Goodstone said it began responding to the incident on April 18, 2026, engaged external cybersecurity experts, notified the Australian Cyber Security Centre and the Tasmanian government, and found evidence that cybercriminals had removed some data from its network.

54. Belmont Aesthetic & Reconstructive Plastic Surgery reported a data breach to the U.S. Department of Health and Human Services affecting 528 individuals. While the cosmetic and reconstructive surgery practice has not publicly disclosed details about the incident, the breach appears to be linked to a ransomware attack. Insomnia ransomware group added the organization to its dark web leak site in March 2026 and threatened to publish allegedly stolen data if a ransom was not paid. The nature of the compromised information and the full circumstances surrounding the incident had not been disclosed.

55. Orem Eye Clinic disclosed a cybersecurity incident that affected approximately 5,800 patients and reported the breach to the U.S. Department of Health and Human Services. The Utah-based provider has not publicly released details about the nature of the incident or the specific types of information that may have been compromised. Around the same time, NightSpire ransomware group claimed responsibility for the attack, alleging it had exfiltrated 1 TB of data from the clinic and listing the organization on its dark web leak site. The clinic had not publicly verified the group’s claims at the time of reporting.

56. A network intrusion at Advanced Family Surgery Center exposed sensitive patient information after an unauthorized third party gained access to portions of the organization’s systems in November 2025. The affected files contained personal, medical, and insurance information, including SSNs, medical record numbers, treatment details, and Medicare and Medicaid identifiers. Following the incident, the healthcare provider strengthened its security controls and launched a review of its data protection practices. Genesis ransomware group later claimed responsibility for the attack, alleging it had stolen roughly 100 GB of data from the organization.

57. Shri Balaji Valve Components disclosed that it was hit by a ransomware attack after detecting unauthorized activity on its data server on May 15, 2026. The Indian manufacturer said it immediately implemented emergency measures to secure its systems, isolate affected infrastructure, and maintain business continuity while launching an investigation with internal IT teams and external cybersecurity specialists. At the time of disclosure, the company had not provided details on the scope of the incident, whether any data had been accessed or stolen, or whether operations were materially affected.

58. The Dutch Language Institute (Instituut voor de Nederlandse Taal) was forced offline following a cyberattack that disrupted its digital services and made several online language resources temporarily unavailable. The organization disconnected affected systems as a precaution while investigating the incident and working to restore operations. Shortly after the disruption, the ransomware group The Gentlemen claimed responsibility for the attack and listed the institute on its leak site. At the time of reporting, the institute had not disclosed whether any data had been compromised, and the full scope of the incident remained under investigation.

59. HDFC Asset Management Company disclosed a cybersecurity incident after receiving a communication from an anonymous source claiming to have accessed portions of its IT infrastructure. The company said it identified the incident on May 16, 2026, immediately activated its incident response procedures, and engaged a specialist cybersecurity firm to conduct a forensic investigation and assess the potential impact. While HDFC AMC did not reveal the nature of the incident or whether any customer or financial data had been compromised, it stated that preliminary findings indicate no material impact on business operations, investor services, or fund management activities. The investigation remains ongoing.

60. Generation Life was listed on the dark web leak site of Qilin ransomware group weeks after the Australian financial services firm disclosed a cyber incident involving unauthorized access through an external service provider. While Qilin claimed responsibility for the attack, the group did not publish any sample data or provide details about the scope of the alleged compromise. Generation Life said the incident had been contained and that it had found no evidence of unauthorized transactions or access to systems responsible for investment activities. The company added that it was working with specialist cybersecurity and forensic experts to investigate the threat actor’s claims and assess whether any data had been accessed.

61. Grafana Labs disclosed that a threat actor gained access to its GitHub environment and downloaded the company’s source code, prompting an internal investigation and remediation efforts. The observability platform provider said it found no evidence that customer data, personal information, customer systems, or business operations were affected by the incident. According to the company, the attackers attempted to extort Grafana Labs by threatening to release the stolen codebase unless a payment was made, but the firm refused the demand. The attack has been attributed to Coinbase Cartel. Grafana Labs said it has identified the source of the credential compromise, invalidated the affected credentials, and implemented additional security measures to protect its environment.

62. German healthcare audit organization Arwini e.V. is investigating a cyberattack after ransomware group Kairos claimed responsibility and alleged it had stolen 2.87 TB of data from the organization’s systems. Arwini, which processes health and billing information for statutory health insurers in Lower Saxony, said that up to 75,000 records could potentially be affected in a worst-case scenario, although it has not confirmed whether any data was actually exfiltrated. Sample files published by Kairos reportedly included correspondence between health insurance providers and medical practices, while the group threatened to sell the allegedly stolen data. The incident is being investigated by law enforcement and data protection authorities, with police confirming Kairos was behind the attack and coordinating with international partners as inquiries continue.

63. Excelas notified individuals of a data breach after discovering that an unauthorized third party had accessed certain systems between November 27 and December 3, 2025. The medical record organization and analysis software provider said a limited amount of data may have been viewed or copied, including names, dates of birth, SSNs, government-issued ID numbers, diagnoses, physician names, medications, medical record images, payment information, and health insurance details. Cl0p extortion group claimed it had exfiltrated sensitive data from Excelas’ systems, although the total number of affected individuals has not yet been disclosed.

64. Pulpdent Corporation disclosed a cybersecurity incident after detecting unauthorized activity within its network in March 2026. An investigation determined that sensitive information, including names, SSNs, driver’s license numbers, and financial account information, may have been exposed and potentially stolen. The Massachusetts-based dental research and manufacturing company began notifying affected individuals in May. INC claimed responsibility for the attack, alleging it had exfiltrated sensitive data from the company’s systems. The total number of affected individuals has not yet been publicly disclosed.

65. DragonForce claimed responsibility for a cyberattack against AdvancedHealth, alleging it stole 390 GB of data from the healthcare services provider, including 2.3 million lines of patient information, as well as partner agreements, management records, payroll data, and human resources files. The group posted the claim on its leak site and threatened to release 1,000 records per day until its demands were met. The allegation emerged weeks after Columbia Surgical Partners, one of AdvancedHealth’s affiliated clinics, disclosed a data breach involving its parent company. AdvancedHealth has not publicly acknowledged DragonForce’s claims, and the scope of the incident, the number of affected individuals, and whether any ransom was paid remain unknown.

66. Extant Aerospace confirmed that a ransomware attack detected on August 23, 2025, compromised personal information belonging to 3,012 current and former employees and other individuals. The Melbourne, Florida-based aerospace and defense electronics contractor said an unauthorized actor accessed certain internal systems and may have acquired data including names, addresses, dates of birth, and SSNs. Extant engaged external cybersecurity experts, secured affected systems, and notified law enforcement following the incident. No known threat group had claimed responsibility for the attack.

67. Australian engineering and manufacturing firm Metaval was listed on the dark web leak site of INC, which claimed to have stolen 80 GB of data from the company. According to the threat actors, the allegedly compromised information includes contracts, financial records, confidential business documents, customer data, incident reports, and HR files. INC threatened to publish the data within days if its demands were not met; however, the group did not provide any evidence to support its claims. Metaval had not yet publicly commented on the alleged breach.

68. Senegal’s Public Treasury (Trésor Public du Sénégal) announced the gradual restoration of its operations following a cyberattack that disrupted a number of digital services and internal systems. As recovery efforts continued, AuditTeam ransomware group claimed responsibility for the incident and published what it described as proof of claims on its leak site. The agency said technical teams were working to restore affected platforms while maintaining essential public financial services, with operations progressively returning to normal. Authorities have not disclosed whether any data had been compromised or verified the authenticity of the threat actor’s claims.

69. SafePay claimed responsibility for an April 2026 cyberattack against the Harrison County Commission in West Virginia, alleging it had stolen data from the organization and giving officials three days to meet its ransom demands. The incident disrupted county operations, forcing the courthouse to turn away residents attempting to pay property taxes and impacting a number of government services. While most systems had been restored by early May, some administrative functions remained affected. The Harrison County Commission has not acknowledged SafePay’s claims or confirmed whether any data was compromised, and the ransomware group’s allegations remain unverified.

70. Nacogdoches Memorial Hospital disclosed a major data breach affecting 2,507,073 patients after discovering unauthorized access to its internal network and information systems on January 31, 2026. The Texas healthcare provider said a threat actor exfiltrated data containing names, addresses, phone numbers, email addresses, SSNs, dates of birth, medical record and account numbers, health plan beneficiary numbers, and possible photographic images. The hospital said it severed the unauthorized access, worked with law enforcement, and implemented additional security measures, including remediation steps, enhanced network security, updated procedures, and further staff awareness training. Nacogdoches Memorial Hospital did not disclose how long the attacker had access or whether a ransom demand was made.

71. The Australian College of Business Intelligence (ACBI) is investigating a potential cyber incident after being listed on Qilin’s dark web leak site. While the threat actors claimed to have breached the college, they did not publish any details about the alleged attack or provide samples of stolen data. ACBI said it became aware of the claims through its IT services provider and has engaged external cybersecurity specialists while notifying relevant authorities and regulatory bodies. The college added that initial investigations had found no evidence that student data had been compromised, although inquiries into the nature and scope of the incident remain ongoing.

72. A cyber incident involving a third-party IT service provider led to unauthorized access to a limited portion of Menzies Group’s network, the company confirmed. The Australian cleaning services provider said it immediately contained the incident, engaged external cybersecurity specialists, and notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. The disclosure came after Qilin listed Menzies on its dark web leak site, although the threat actors did not provide any details about the alleged attack or publish evidence of stolen data. Menzies said its investigation remains ongoing and that cybersecurity experts are assessing the validity and scope of Qilin’s claims.

73. Erie Family Health Centers disclosed a major data breach affecting up to 570,000 individuals after discovering unauthorized access to its network in January 2026. An investigation determined that a threat actor had access to the Chicago-based healthcare provider’s systems between December 10, 2025, and January 27, 2026, potentially exposing a wide range of personal and protected health information. Depending on the individual, the compromised data may have included SSNs, government-issued identification numbers, financial information, health insurance details, medical records, treatment information, online account credentials, and other sensitive personal data. No threat group has publicly claimed responsibility for the incident.

74. Lumexa Imaging disclosed a vendor-related data breach affecting 2,994 individuals after an unauthorized actor allegedly exploited a connection between the company and a third-party service provider. The incident stemmed from a compromise of the vendor’s systems between March 31 and April 9, 2026, which may have allowed access to documents associated with Lumexa’s affiliated radiology practices. The exposed information included patient names, dates of birth, addresses, phone numbers, account numbers, insurance information, diagnoses, visit dates, and other clinical records, while a small subset of individuals also had their SSNs compromised. Lumexa said it immediately terminated the vendor’s access upon learning of the incident, and the vendor has since implemented additional security measures. 

75. Expert MRI disclosed a data breach affecting 209,560 individuals after discovering unusual activity within its internal network in September 2025. The California radiology provider said an unknown actor accessed and copied certain files between August 14 and August 24, 2025, exposing information including names, addresses, dates of birth, admission dates, diagnosis and treatment information, and SSNs. Expert MRI secured its network, engaged external cybersecurity experts, notified regulators, and is offering affected individuals complimentary identity protection and credit monitoring services. PEAR ransomware group later claimed responsibility for the attack, alleging it had stolen 617 GB of confidential data and threatening to publish the files unless its demands were met.

76. FMRS Health Systems disclosed a data breach after detecting suspicious activity within its network on February 27, 2026. An investigation determined that an unauthorized actor had access to its systems between January 20 and February 27 and copied files containing patient information, although the organization stated that electronic medical records were not accessed. The exposed data included names combined with personal, financial, and health-related information such as SSNs, driver’s license numbers, medical history, treatment details, prescription information, health insurance data, and medical record numbers. While FMRS did not characterize the incident as a ransomware attack, Qilin ransomware group claimed responsibility for the breach. The organization has reported the incident to federal regulators, and the total number of affected individuals is expected to rise as the investigation continues.

77. Delano Public Schools was forced to close its schools for a day after a ransomware attack disrupted district systems. Superintendent Matt Schoen said the incident was first discovered when ransomware messages began printing from printers across the district, prompting IT staff to immediately shut down online systems and school officials to cancel classes while the situation was addressed. In-person learning resumed the following day, although Wi-Fi access remained unavailable as recovery efforts continued. District officials said they were confident that no student, staff, or Google Classroom data had been accessed during the attack.

78. Glendora Surgery Center disclosed a data breach after determining that an unauthorized party accessed its network between November 29 and December 3, 2025, and exfiltrated files containing patient information. The California-based provider said the compromised data included patient names and medical treatment information. The organization has reviewed its privacy and security policies, enhanced administrative and technical safeguards, and provided additional cybersecurity training to staff. The incident has been reported to the U.S. Department of Health and Human Services, and the total number of affected individuals remains under review, with at least 501 people currently identified.

79. CRIT Tunisie and CRIT RH, the Tunisian subsidiaries of Groupe CRIT, disclosed a cyberattack that resulted in a data breach involving personal information belonging to former temporary workers, permanent employees, and certain third parties. The incident was limited to the two Tunisian entities, both of which had already ceased operations following changes to Tunisian labor laws in 2025. Groupe CRIT said it immediately secured the affected systems, launched an investigation into the scope of the breach, and notified Tunisia’s data protection authority. Separately, Titan ransomware group claimed responsibility for the attack and published samples of allegedly stolen data, including payroll records, administrative documents, financial files, and identity documents, although the full extent of any data exfiltration has not been independently verified.

80. Tampa Bay Dental Implants & Prosthetics disclosed a ransomware attack that affected 6,400 individuals after discovering on January 19, 2026, that files on a legacy server had been encrypted. The Florida-based dental provider said the compromised server contained backup copies of electronic medical records, and a subsequent investigation determined that patient information had been exposed. The affected data included names, contact information, dates of birth, treatment notes, clinical histories, and, for a limited number of individuals, SSNs. In response, the organization enhanced its security logging capabilities, strengthened server encryption, and updated access controls to reduce the risk of similar incidents in the future.

81. Aligned Orthopedic Partners notified 7,213 individuals after discovering unauthorized access to its email environment between November 16 and December 16, 2025. A forensic review found that emails and files may have been accessed or acquired, exposing protected health information and personal data such as names, dates of birth, SSNs, driver’s license or state identification numbers, Medicare or Medicaid numbers, financial account details, medical provider names, treatment and diagnosis information, prescription information, health insurance data, patient account numbers, and medical record numbers. 

82. Spanish chemical manufacturer Olipes was listed on SafePay’s dark web leak site. The group claimed to have breached the company and threatened to publish allegedly stolen data unless an undisclosed ransom was paid within three days. The threat actors said the incident had entered the public extortion phase of the attack and indicated that internal company information had been obtained as part of a double extortion operation. While SafePay did not disclose the amount demanded, the group warned that data would be released if negotiations failed. Olipes has not publicly commented on the incident or confirmed whether any data had been compromised.

83. Regional Victorian newspaper The Adviser was listed on Brain Cipher’s dark web leak site, with the group claiming to have stolen more than 350 GB of data from the media outlet. The threat actors said they had set a ransom deadline of June 2, 2026, after which the allegedly stolen information would be published. However, Brain Cipher did not provide any evidence to support its claims, such as screenshots or sample documents, nor did it disclose the amount of its ransom demand. The Adviser has not publicly commented on the allegations or confirmed that a cyber incident had occurred.

84. MyPillow became the subject of an alleged cyberattack after sensitive company and employee data was purportedly listed for publication on a ransomware leak site. Play ransomware group claimed to have stolen a range of information, including financial records, payroll data, tax documents, employee identification files, and customer-related information, and reportedly set a deadline before releasing the data. MyPillow CEO Mike Lindell rejected the allegations, stating that the company had not suffered a breach and describing the claims as politically motivated.

85. DocketWise disclosed a data breach affecting 143,480 individuals after discovering unauthorized access to one of its third-party partner repositories in October 2025. The Austin-based immigration law software provider said threat actors used valid credentials to clone repositories connected to a data migration pipeline containing law firm records and personal information. The exposed data included names, SSNs, dates of birth, driver’s license and passport numbers, banking information, government and tax identification numbers, health insurance details, medical information, and account credentials. DocketWise said its investigation found no evidence that the stolen information had been leaked online or used to extort law firms, and no threat group had claimed responsibility for the incident. 

86. Branded Products has been linked to an alleged cyberattack after the Melbourne-based company was named on the Qilin ransomware group’s dark web leak site. The entry contained no supporting evidence, sample data, ransom deadline, or description of the information purportedly obtained. As a result, the extent of the alleged compromise remains unknown, and the company has not publicly commented on the claims.

87. An alleged cyberattack targeting Alpha Group Holdings surfaced after the New Zealand company appeared on the Qilin ransomware group’s leak site. Despite attracting thousands of views, the post contained no supporting evidence, no description of the incident, and no indication of what information may have been compromised. The company has not commented publicly on the matter.

88. Charter Communications confirmed it was investigating a cybersecurity incident after ShinyHunters claimed it had stolen tens of millions of customer records from the telecommunications provider. The group alleged it breached Charter on April 1, 2026, through a voice phishing attack that compromised an employee’s Microsoft Entra account and enabled access to customer data in a Salesforce environment. ShinyHunters claimed the stolen information included names, contact details, plan information, support ticket data, and some customer proprietary network information, affecting approximately 40 million to 42 million records. Charter said it was following security protocols and notifying authorities but stated that no sensitive personal information or customer proprietary network information was exfiltrated. The company has not confirmed the attack method, the number of affected customers, or whether customer notifications will be issued.

89. Residents of Sandstone, Minnesota are being notified of a ransomware attack that disrupted city systems in April 2026 and may have exposed sensitive personal information. According to the city, the compromised data included names, SSNs, financial account and routing numbers, addresses, and dates of birth. Qilin ransomware group later claimed responsibility for the attack and added Sandstone to its leak site, although city officials have not publicly confirmed the group’s involvement. 

90. A cyberattack on German medical billing services provider Unimed has led to data breaches at multiple university hospitals and healthcare organizations across the country. The April 2026 incident involved the theft of patient data processed by Unimed on behalf of its healthcare clients, prompting the company to disconnect customer interfaces, notify authorities, and engage forensic experts to assess the impact. Several hospitals have since disclosed patient data exposures, including Freiburg University Hospital, which said approximately 54,000 patients were affected, and University Hospital Cologne, which reported that names, addresses, and treatment information relating to around 30,000 patients had been compromised. While Unimed said it was able to prevent the attackers from deploying ransomware, the breach has triggered investigations and patient notification efforts across Germany’s healthcare sector.

91. Australian appliance supplier QLS Group was claimed as a victim by DragonForce, which alleged it had stolen 554.65 GB of company data. To support its claim, the threat actors published a small sample of allegedly exfiltrated information, including confidential documents, contract records, and an incident report. DragonForce provided few details about the nature of the alleged attack.

92. Industrial Acceptance Corporation confirmed it notified 79,216 individuals about a February 2025 ransomware-related data breach that exposed names, SSNs, and driver’s license numbers. The company said it detected unauthorized activity on February 24, took systems offline to restore operations safely, and later learned that certain files had been removed from its network. IAC attributed the ransomware event to INC, although the ransomware group did not list the company on its leak site. Separately, Akira claimed responsibility for an attack on IAC in March 2025 and alleged it had stolen 60 GB of data, but IAC has not acknowledged that claim.

93. Plaza Home Mortgage disclosed a data breach after determining that personal information belonging to customers and employees may have been exposed during a security incident. The California-based mortgage lender began notifying affected individuals in May and directed them to a dedicated response website for additional information and guidance. While the company has not publicly disclosed the full scope of the compromised data, separate reports indicate that Silent claimed responsibility for an attack against Plaza Home Mortgage earlier in the year and threatened to release allegedly stolen information. Plaza has not publicly confirmed the group’s claims, and the extent of any data exfiltration remains unclear.

94. Weil, Gotshal & Manges confirmed it recently responded to a cyber incident involving the unauthorized upload of a limited number of client documents to an external cloud storage platform. The law firm said it activated its incident response procedures, engaged third-party cybersecurity experts, and notified law enforcement after discovering the activity. According to Weil, forensic investigators determined that the threat actor did not gain access to the firm’s network and that business operations were not disrupted. Reports later linked the incident to Silent ransomware group, with others suggesting that Weil paid between $18 million and $20 million to prevent the publication of stolen client data, although the firm has not publicly confirmed that a payment was made.

95. Brisbane accounting firm Kennedy McLaughlin & Associates confirmed it experienced a cyber incident involving unauthorized third-party access to part of its IT environment after being listed on Qilin’s dark web leak site. The firm said it mobilized a response team, contained the incident, secured its systems, and engaged cybersecurity experts to support its investigation and recovery efforts. Qilin initially listed the company in March, but the full dataset was reportedly published later and included financial details belonging to several clients alongside other company data. Kennedy McLaughlin said it has notified individuals whose information may have been impacted and reported the incident to the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.