A notorious ransomware gang previously responsible for attacks on multiple hospitals has now claimed a new victim: disability nonprofit Easterseals.

The Rhysida ransomware group stooped to new lows this week when it attempted to extort $1.3 million from the organization, which provides support to disabled children, seniors, military veterans and others. 

Easterseals did not respond to requests for comment but filed breach notification documents with regulators in Maine saying its Peoria-based Central Illinois location dealt with a cyberattack in April. The filing did not mention the ransomware group, but the cybercriminals claimed the attack this week.

The nonprofit is one of the oldest disability-focused organizations in the U.S., serving more than 1.5 million people across the country and providing additional services to 100,000 physicians who care for those in need. Easterseals says that more than 80% of its fundraising is spent directly on care for the disabled. 

The notification letters say that on April 1, the organization “experienced a network disruption that impacted the functionality and access of certain systems.” 

“Upon discovery of this incident, Easterseals immediately disconnected all access to the network and promptly engaged a specialized third-party cybersecurity firm and IT personnel to assist with securing the environment, as well as, to conduct a comprehensive forensic investigation to determine the nature and scope of the incident,” the organization said. 

“The forensic investigation determined that the unauthorized actor accessed certain files from Easterseals’ network, some of which included personal information.” 

The filing in Maine says 14,855 people had their full name, address, driver’s license, Social Security number, medical information, health information and passport accessed by the hackers. 

Victims are being given 12 months of identity protection services. The organization added that it is now using endpoint security software, cloud-based servers and credential hardening tools like multifactor authentication.

Rhysida ransomware actors posted the organization on its leak site this week, demanding 20 bitcoin by October 30. 

The group has already attacked multiple healthcare organizations — including The Ann & Robert H. Lurie Children’s Hospital of Chicago and hospitals run by Prospect Medical Holdings.

Rhysida launched a Christmas-season attack on the World Council of Churches last December and this year has already brought down systems used by the Port of Seattle and the city of Columbus, Ohio.