The Qilin ransomware group listed CODAC Behavioral Healthcare, a nonprofit health care treatment organization, as one of their latest victims.

Qilin seems to have a preference for healthcare and support organizations. One of their most well-known victims was the pathology lab services provider Synnovis in June 2024, causing chaos across the NHS in London.

CODAC Behavioral Healthcare is Rhode Island’s oldest and largest nonprofit, outpatient provider of treatment for Opioid Use Disorder (OUD) and runs seven community-based locations. CODAC works with individuals, families, and communities and provides comprehensive resources to those living and struggling with the challenges of substance use disorder and behavioral healthcare issues.

Within the stolen data, Malwarebytes Labs noticed financial information, pictures of ID cards, a list of staff members—including their Social Security Numbers (SSNs)—and healthcare cards.

Ransomware attacks are evolving around the world, as cybercriminals have steadily advanced their tactics to not only encrypt and lock up systems once inside an organization, but to also steal sensitive data and then threaten to publish it as a way to add extra pressure to their demands. Attacks are at an all-time high in 2024, and attacks specifically targeting healthcare and support organizations represent a large portion of all attacks in the US.

As ThreatDown reported earlier in 2024, 70% of all known attacks on healthcare happen in the US. This makes healthcare the second most attacked sector in the US, where it accounts for 9% of known attacks.

Sensitive information like the data kept by healthcare organizations obviously increases the amount of leverage for the ransomware group, and despite some gangs promising not to attack healthcare, most of them show no such conscience.

A separate data breach carried out by a ransomware group that Malwarebytes Labs learned about this week was on the US Marshalls Service. Hunters International ransomware group posted 386 GB of data that appears to include files on gangs, documents from the FBI, specific case information, operational data, and more.

The US Marshalls Service said the data comes from a ransomware attack they acknowledged in February of 2023, but which had never been claimed before. Maybe the ransomware group was hesitant to paint a bullseye on their back.

So far, Malwarebytes Labs has not seen any official reaction by CODAC Behavioral Healthcare. If they come out with one or respond to our query, we will keep you posted.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.