Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 13, 2026 · 5 min read

Anubis Ransomware Stole 2TB of Patient Data—Then Gave the Hospital Two Weeks to Pay or Lose It Forever

Ambulances were diverted from Brockton Hospital while staff worked from paper charts. The attackers did not even need to encrypt a single file.

A hospital corridor with emergency lighting and a nurse carrying paper charts, representing the operational disruption caused by a ransomware attack on healthcare systems

What Happened

On April 6, 2026, Signature Healthcare detected a cybersecurity incident that forced Brockton Hospital in southeastern Massachusetts into emergency protocols. Electronic health records went offline. The patient portal became inaccessible. Pharmacies stopped filling prescriptions. And ambulances were diverted to other facilities because staff could not access the systems needed to treat incoming patients.

Three days later, the Anubis ransomware group claimed responsibility, stating it had stolen 2 terabytes of critical and sensitive patient information. The group posted Signature Healthcare on its dark web leak site as proof.

A New Kind of Ransomware Threat

What makes this attack unusual is what Anubis did not do. The group did not encrypt Signature Healthcare's systems. Traditional ransomware locks files and demands payment for the decryption key. Anubis skipped that step entirely and focused purely on data theft.

According to Trend Micro analysts, Anubis is an emerging ransomware as a service group with a distinctive feature: a "wipe mode" that permanently erases stolen file contents if the ransom goes unpaid. Rather than threatening to publish your data, they threaten to destroy it. For a hospital system that needs patient records to operate, the stakes are existential.

This shift from encryption to exfiltration and destruction represents an evolution in ransomware tactics. Encryption can be reversed with backups. Data destruction and the threat of public leaks create dual pressure that backup strategies cannot solve alone.

The Impact on Patient Care

The operational fallout hit immediately. With electronic medical records offline, clinicians reverted to paper charts. Lab work continued but faced delays. Cancer treatments resumed by Friday, but the hospital's leadership told staff that full system restoration would take two weeks.

Ambulance diversion is the most dangerous consequence of a hospital cyberattack. When emergency patients must be routed to more distant facilities, the additional transport time can be the difference between recovery and death. Research has shown that ransomware attacks on hospitals are directly associated with increased patient mortality.

This is not an isolated pattern. Healthcare has become the most targeted sector for ransomware. Earlier this year, ransomware hit the company running 80% of Dutch hospitals' patient records. In 2025, Iranian hackers wiped 80,000 devices at medical device giant Stryker.

What Happened to the Ransom Demand

Signature Healthcare's spokesperson declined to comment on whether the organization was negotiating with Anubis or considering a payment. However, a notable development followed: Anubis removed Signature Healthcare from its dark web leak site shortly after the initial listing.

Removal from a leak site can mean several things. The victim may have paid. Negotiations may be ongoing under a confidentiality agreement. Or the group may have decided the target was not worth the attention. Without official confirmation, the outcome remains unknown.

Why Healthcare Keeps Getting Hit

Hospitals make ideal ransomware targets for reasons that go beyond weak security. Healthcare organizations cannot afford downtime. Every hour of system outage means patients going untreated, surgeries postponed, and emergency care degraded. This urgency creates maximum pressure to pay quickly.

Healthcare also handles some of the most sensitive data in existence: medical histories, diagnoses, prescriptions, Social Security numbers, and insurance details. This data commands premium prices on criminal marketplaces and creates significant regulatory liability under HIPAA if exposed.

The combination of operational urgency and data sensitivity makes healthcare a high yield, low risk target for ransomware operators who know that hospitals will pay rather than watch patients suffer.

What This Means for Patients

If you are a Signature Healthcare patient, the stolen data potentially includes your medical records, personal identifiers, and insurance information. While Signature Healthcare has not confirmed the specific data categories compromised, 2 terabytes is an enormous volume that likely spans years of patient records.

Steps to take now:

  • Monitor your accounts. Watch for unfamiliar medical bills, insurance claims you did not file, or credit inquiries you did not initiate.
  • Place a fraud alert or credit freeze. Contact one of the three major credit bureaus to make it harder for someone to open accounts in your name.
  • Watch for phishing. Stolen health data often fuels targeted phishing campaigns impersonating your healthcare provider or insurer.
  • Request your records. Once systems are restored, ask Signature Healthcare what data was involved and whether breach notification will follow.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.