A ransomware gang is trying to turn a Tennessee healthcare group into a public pressure campaign.
DragonForce claims it stole 390 GB of data from AdvancedHEALTH, including 2.3 million lines of patient information and records tied to minors, according to cybersecurity firm DeXpose. AdvancedHEALTH has not confirmed the groupās full claim, and the scope of any exposed data remains unverified.
At least one affiliated clinic has notified patients of a breach, while class-action attorneys are seeking current and former patients and employees who believe their information may have been compromised.
Leak deadline hangs over a wider data claim
DragonForce paired its leak-site post with a deadline, threatening to publish ā1,000 lines of patient data per dayā until a payment was made or the countdown expired, according to DeXpose.
The patient files appear to be the center of the extortion threat. International Cyber Digest put the dataset at almost 2 million unique patient records after deduplication across 179 patient files, with 83,162 minors included in that count.
The claimed haul also reaches into business operations, with partner agreements, management documents, payroll records, and HR files listed among the materials. A file tree reviewed by International Cyber Digest included eClinicalWorks artifacts, carrier contracts with major insurers, and roughly 200 PatientData subdirectories apparently tied to individual medical practices.
What has been confirmed so far
AdvancedHEALTH declined to comment, and thereās no official confirmation of DragonForceās allegations.
However, an affiliated clinic provides the clearest confirmed link so far. According to Comparitech, Columbia Surgical Partners told patients it was notifying them about a breach at its parent company, Advanced Diagnostic Imaging, which does business as AdvancedHealth.
The ransomware attack also reportedly disrupted the clinicās access to electronic medical records, showing an operational impact separate from DragonForceās broader data-theft claim.
DragonForce runs on a ransomware-as-a-service model
DragonForce operates as ransomware-as-a-service, giving affiliates access to its malware and infrastructure in exchange for a share of ransom payments. The model can make attribution messy because the name on the leak site may represent a broader network of operators rather than a single fixed crew.
Since late 2023, the group has targeted victims across retail, shipping, logistics, technology, and critical infrastructure. Its 2026 activity has been heavy, with 167 claimed attacks and 14 confirmed by targeted organizations.
Healthcare has not been outside its orbit. Prior incidents attributed to DragonForce include Asheville Eye Associates, Heart of Texas Behavioral Health Network, Greater Cincinnati Behavioral Health Services, and Neurological Associates of Washington.
Legal scrutiny is already building around the alleged incident. Class-action attorneys are seeking current and former AdvancedHEALTH patients and employees as they investigate whether to file a lawsuit.
The Canvas hackersā 275 million-record claim has pushed Instructure into a high-stakes breach response.
Read the full article here
