Over 18,000 individuals across multiple breaches
In May 2026, a series of data breaches across several HIPAA-regulated entities has exposed the sensitive Protected Health Information (PHI) of over 18,000 individuals. Organizations including the World Trade Center (WTC) Health Program, LHC Group, and Tampa Bay Dental have reported incidents ranging from ransomware attacks to unauthorized access to cloud environments. The TridentLocker ransomware group has claimed responsibility for the WTC Health Program breach, which occurred via a third-party vendor, Managed Care Advisors. These events highlight the persistent targeting of the healthcare sector, the significant risks associated with the supply chain, and the high value criminals place on patient data, which includes Social Security numbers, medical diagnoses, and financial information.
The attacks demonstrate a multi-faceted threat landscape targeting the healthcare industry. The primary vectors observed include:
The compromised data is extensive and highly sensitive, including names, Social Security numbers, dates of birth, medical diagnoses, and financial account information. This information is highly sought after on dark web markets for identity theft, financial fraud, and targeted phishing campaigns.
The attacks leverage a variety of Tactics, Techniques, and Procedures (TTPs). Based on the reporting, the following MITRE ATT&CK techniques are likely involved:
T1486 - Data Encrypted for Impact: Used by TridentLocker against the WTC Health Program and in the Tampa Bay Dental incident to render files inaccessible.T1133 - External Remote Services: A likely initial access vector for accessing servers at Managed Care Advisors and Tampa Bay Dental.T1078 - Valid Accounts: Potentially used to gain access to Pivot Health's AWS environment, either through compromised credentials or misconfigured permissions.T1537 - Transfer Data to Cloud Account: Attackers exfiltrated data from the vendor's server in the WTC Health Program breach, a common step before deploying ransomware.T1213 - Data from Information Repositories: Attackers specifically targeted and copied files containing client names, Medicaid numbers, and other PHI from the South Alabama Regional Planning Commission.The attack on the WTC Health Program vendor, with initial access in November 2025 and detection in December 2025, shows a significant dwell time. This allowed the TridentLocker group ample opportunity to perform reconnaissance, identify high-value data, and exfiltrate it before executing the final encryption payload.
The impact of these breaches is severe for both the individuals affected and the healthcare organizations.
No specific file hashes, IP addresses, or domains were mentioned in the source articles.
Security teams in the healthcare sector may want to hunt for activity related to these types of attacks. The following patterns could indicate related activity:
process_namevssadmin.exevssadmin.exe delete shadows /all /quiet to delete volume shadow copies and hinder recovery. Monitor for its execution, especially by non-standard user accounts.log_sourceAWS CloudTrailGet*, List*, or Describe* API calls, followed by unusual data access patterns from unfamiliar IP ranges or user agents.network_traffic_patterncommand_line_patternreg.exe save HKLM\SECURITYDetecting and responding to these threats requires a multi-layered approach.
Preventing these attacks requires both technical controls and strategic initiatives.
Additional healthcare entities, including UNMC, report breaches, increasing total affected individuals to tens of thousands.
This update details additional breaches impacting the healthcare sector, bringing the total to at least nine HIPAA-regulated entities. Notably, the University of Nebraska Medical Center (UNMC) disclosed a breach affecting 26,937 individuals due to an exploited vulnerability in third-party REDCap software, with attacker access from September 2023 to February 2026. Singing River Health System also reported a hacking incident. These new disclosures expand the scope of the ongoing wave of attacks, increasing the total number of exposed patient records to tens of thousands and highlighting diverse attack vectors including software vulnerabilities.
Initial breach occurs at Managed Care Advisors, vendor for the WTC Health Program.
TridentLocker ransomware attack detected at Managed Care Advisors.
Tampa Bay Dental discovers unauthorized access and ransomware on its network.
Unauthorized third party gains access to Pivot Health's AWS environment.
Pivot Health detects and blocks unauthorized access to its AWS environment.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.