AdvancedHEALTH Ransomware Claim Includes 2.3M Patient Data Lines
A ransomware gang is trying to turn a Tennessee healthcare group into a public pressure campaign.
DragonForce claims it stole 390 GB of data from AdvancedHEALTH, including 2.3 million lines of patient information and records tied to minors, according to cybersecurity firm DeXpose. AdvancedHEALTH has not confirmed the group’s full claim, and the scope of any exposed data remains unverified.
At least one affiliated clinic has notified patients of a breach, while class-action attorneys are seeking current and former patients and employees who believe their information may have been compromised.
Leak deadline hangs over a wider data claim
DragonForce paired its leak-site post with a deadline, threatening to publish “1,000 lines of patient data per day” until a payment was made or the countdown expired, according to DeXpose.
The patient files appear to be the center of the extortion threat. International Cyber Digest put the dataset at almost 2 million unique patient records after deduplication across 179 patient files, with 83,162 minors included in that count.
The claimed haul also reaches into business operations, with partner agreements, management documents, payroll records, and HR files listed among the materials. A file tree reviewed by International Cyber Digest included eClinicalWorks artifacts, carrier contracts with major insurers, and roughly 200 PatientData subdirectories apparently tied to individual medical practices.
What has been confirmed so far
AdvancedHEALTH declined to comment, and there’s no official confirmation of DragonForce’s allegations.
However, an affiliated clinic provides the clearest confirmed link so far. According to Comparitech, Columbia Surgical Partners told patients it was notifying them about a breach at its parent company, Advanced Diagnostic Imaging, which does business as AdvancedHealth.
The ransomware attack also reportedly disrupted the clinic’s access to electronic medical records, showing an operational impact separate from DragonForce’s broader data-theft claim.
DragonForce runs on a ransomware-as-a-service model
DragonForce operates as ransomware-as-a-service, giving affiliates access to its malware and infrastructure in exchange for a share of ransom payments. The model can make attribution messy because the name on the leak site may represent a broader network of operators rather than a single fixed crew.
Since late 2023, the group has targeted victims across retail, shipping, logistics, technology, and critical infrastructure. Its 2026 activity has been heavy, with 167 claimed attacks and 14 confirmed by targeted organizations.
Healthcare has not been outside its orbit. Prior incidents attributed to DragonForce include Asheville Eye Associates, Heart of Texas Behavioral Health Network, Greater Cincinnati Behavioral Health Services, and Neurological Associates of Washington.
Legal scrutiny is already building around the alleged incident. Class-action attorneys are seeking current and former AdvancedHEALTH patients and employees as they investigate whether to file a lawsuit.
The Canvas hackers’ 275 million-record claim has pushed Instructure into a high-stakes breach response.
About Author
