Illinois and Texas Healthcare Data Breaches Expose 600,000 Patients: Inside the Insomnia Ransomware Attacks

If a rising ransomware crew can break into two separate healthcare providers in two different states—on opposite ends of the country—what chance does the average clinic have? And if attackers are cherry-picking medical histories, diagnoses, and treatment notes, what happens next for patients, providers, and regulators?

Those questions aren’t hypothetical. According to a report published April 23, 2026 by Security Boulevard, ransomware-driven data breaches at healthcare organizations in Illinois and Texas have impacted roughly 600,000 patients, with the Insomnia ransomware group claiming it stole data on at least 150,000 individuals and posting sample proof on its leak site earlier in the year. The incidents underscore a stubborn reality: healthcare remains the most targeted, and often the least forgiving, battleground for cyber extortion.

In this deep dive, we’ll break down what happened, why healthcare continues to be a bullseye, what Insomnia’s attack tells us about the current ransomware playbook, and the concrete steps organizations and patients should take now.

Source: Security Boulevard – Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000

What Happened, in Plain English

Two separate healthcare providers—one in Illinois, one in Texas—reported data breaches tied to ransomware.
The Insomnia ransomware group, a growing ransomware-as-a-service (RaaS) operation, claimed responsibility for at least part of the theft and published sample data in February 2026 to back its claims.
The attackers likely got in via exploited remote desktop exposures or phishing, two of the most common healthcare attack vectors, particularly in environments running legacy systems or short-staffed IT teams.
Attackers exfiltrated protected health information (PHI)—including names, addresses, diagnoses, and treatment histories—and then encrypted systems, a classic “double-extortion” pattern.
Both organizations kicked off incident response, isolated affected networks, and brought in outside forensics teams. Notifications to patients are underway, and credit monitoring is being offered.
No ransom payments have been confirmed, which aligns with guidance from federal agencies discouraging settlement with cybercriminals.

For patients, the risks aren’t abstract. PHI is a goldmine for criminals, enabling medical identity theft, insurance fraud, prescription abuse, targeted scams, and blackmail.

Who Is Insomnia—and Why Their Model Works

The Insomnia operation slots cleanly into the RaaS business model: developers build and maintain the tooling, affiliates perform intrusions and share revenue, and a public “leak site” pressures victims to pay by threatening data publication.

Proof-of-theft tactic: Publishing sample data is a psychological lever designed to force negotiations and stunt organizational response by triggering regulatory notification obligations.
Specialization: By focusing on common healthcare weaknesses—public-facing remote access, credential reuse, phishing, unpatched endpoints—affiliates keep costs low and conversion (to ransom payment) high.
Market timing: Healthcare’s pandemic-era digital acceleration left many providers with sprawling, under-segmented networks and a long trail of legacy devices. That’s fertile terrain for RaaS affiliates.

For defenders, the lesson is clear: you’re not up against lone-wolf hackers; you’re facing a supply chain of cybercrime with roles, SLAs, affiliate portals, and playbooks.

How Attackers Likely Got In

While full forensic reports are often confidential, the indicators reported by Security Boulevard match common initial access patterns in healthcare:

Exposed or weak Remote Desktop Protocol (RDP) services
Phishing leading to credential theft and MFA fatigue
Exploitation of known, unpatched vulnerabilities
Third-party vendor compromise (less likely here but common sector-wide)

CISA and HHS have repeatedly warned about RDP and remote access exposures. In fact, older RDP vulnerabilities like BlueKeep (CVE-2019-0708) remain visible in scans years after publication, and many organizations still allow direct RDP from the internet—an avoidable, high-impact risk.

Helpful guidance: – CISA’s ransomware portal: StopRansomware.gov – HHS 405(d) guidance for healthcare: HICP resources – NIST Cybersecurity Framework 2.0: NIST CSF 2.0

What Data Was Exposed—and Why It’s Dangerous

Reportedly exposed PHI includes: – Names, addresses, phone numbers – Medical diagnoses and treatment histories – Potentially insurance or billing identifiers

Why that matters: – Medical identity theft enables fraudulent claims and durable medical equipment scams that can take months to unwind. – Sensitive diagnoses can be used for blackmail or targeted extortion phishing (“We saw your oncology visit—click here to view test results”). – Long shelf life: Unlike credit cards, you can’t “reissue” your diagnosis. PHI remains valuable for years.

Why Healthcare Keeps Getting Hit

High-value data: PHI fetches a premium on underground markets.
Operational pressure: Downtime can risk patient care, increasing pressure to pay.
Legacy tech: Old operating systems, unpatched medical devices, and bespoke clinical apps complicate updates.
Limited resources: Many providers run lean IT/security teams with 24/7 clinical demands and limited patch windows.
Complex vendor ecosystems: Hundreds of third-party connections expand the attack surface.

For attackers, this is a jackpot: valuable data, complex environments, time pressure, and often incomplete visibility.

Timeline and Response: What We Know

February 2026: Insomnia reportedly posted sample data on its dark web leak site tied to the Illinois incident.
April 23, 2026: Public reporting of combined impact (approximately 600,000 affected across both providers).
Post-incident: Providers isolated affected systems, began forensics, and started patient notifications, including credit monitoring.

Notably, there’s no confirmation of ransom payment—consistent with U.S. agency guidance discouraging payments, particularly when sanctioned entities may be involved. For reference: – HHS/OCR breach portal (“Wall of Shame”): HHS Breach Portal – OFAC ransomware advisory (sanctions risk): U.S. Treasury OFAC

The Compliance Angle: HIPAA, State Laws, and Penalties

HIPAA Breach Notification Rule: Covered entities must notify affected individuals without unreasonable delay and within 60 days of discovery. Breaches affecting 500+ residents of a state/jurisdiction require notification to prominent media outlets and HHS/OCR.
Security Rule: Requires risk analysis and reasonable safeguards. Failure to implement basic controls (e.g., access controls, audit logs, encryption where appropriate) can lead to significant penalties.
State laws:
Illinois: Personal Information Protection Act (PIPA) imposes additional notice requirements for breaches of personal information.
Texas: Texas Medical Records Privacy Act (TMRPA) and HB 300 strengthen privacy protections and may expand reporting obligations.

Organizations that can demonstrate a current security risk analysis, documented mitigation plans, workforce training, and technical safeguards fare better with regulators—and in potential litigation.

Learn more: – HIPAA fundamentals: HHS HIPAA Overview – State law summaries: National Conference of State Legislatures – Security Breach Notification Laws

Practical Steps for Healthcare Providers (Do This Now)

Here’s a prioritized roadmap combining immediate containment, near-term risk reduction, and durable resilience.

Immediate (0–15 Days)

Lock down remote access:
Disable direct RDP from the internet; require VPN with device posture checks.
Enforce phishing-resistant MFA (FIDO2/WebAuthn) for all remote and privileged access.
Hunt and contain:
Review logs for suspicious lateral movement (e.g., PSExec, RDP pivoting, abnormal SMB traffic).
Reset and reissue credentials for privileged accounts; rotate service account secrets.
Segment at speed:
Implement emergency ACLs between EHR, billing, imaging, and guest/IoT/IoMT networks.
Block outbound to known C2/TOR/IP ranges per CISA Known Exploited Vulnerabilities Catalog.
Backups and recovery posture:
Isolate backups: confirm you have at least one offline or immutable copy (WORM).
Test restore of a critical system to validate RTO/RPO.
Communicate:
Activate incident response plan and legal counsel.
Notify cyber insurance and coordinate forensics, PR, and breach counsel.
Preserve evidence for OCR and potential law enforcement. Consider reporting to the FBI via IC3.

Near Term (15–60 Days)

Patch and harden:
Prioritize internet-facing systems and high-severity CVEs; remediate RDP and VPN vulnerabilities first.
Enforce least privilege and Just-In-Time access for admins with a Privileged Access Management (PAM) solution.
Email and identity:
Deploy modern email security with attachment detonation and link rewriting; enforce DMARC/DKIM/SPF.
Reduce legacy authentication (disable basic/IMAP/POP) and conditional access based on risk.
Endpoint and detection:
Roll out EDR/XDR with 24/7 monitoring; tune to flag ransomware precursors (e.g., Shadow Copy deletion, LOLBins).
Centralize logs in a SIEM; enable long-term retention for forensic depth.
Data controls:
Encrypt PHI at rest and in transit; implement DLP to catch exfiltration patterns.
Map PHI data flows to identify concentration points; reduce overexposed shares.
People and process:
Deliver targeted anti-phishing training with real simulations.
Run a tabletop exercise specifically for double-extortion ransomware.

Strategic (60–180 Days)

Architecture:
Move toward Zero Trust principles: verify explicitly, use continuous evaluation, and segment by identity and sensitivity.
Micro-segment critical clinical systems and IoMT; isolate legacy modalities and lab instruments.
Governance:
Complete a HIPAA Security Risk Analysis; tie remediation to a funded roadmap.
Establish a security metrics dashboard for the board: patch SLAs, MFA coverage, privileged account count, mean time to detect/respond, backup restore success, and incident closeout rates.
Vendor risk:
Update BAAs; require security attestations (e.g., SOC 2 Type II, HICP alignment).
Limit third-party connectivity; implement least-privilege access and session recording for vendors.
Resilience:
Expand immutable backups; adopt 3-2-1-1-0 rule (3 copies, 2 media, 1 offsite, 1 immutable, 0 errors after automated recovery testing).
Pre-stage golden images for critical endpoints and servers.

Reference architectures and playbooks: – CISA Ransomware Guide: CISA-Multi-State ISAC Ransomware Guide – NIST SP 800-53 and 800-171 controls: NIST Publications

What Patients Should Do If You Receive a Breach Notice

If you’re among the patients being notified, assume your data could be misused and act immediately.

Enroll in credit monitoring offered by the provider. Then, add your own protections:
Place a free credit freeze with Equifax, Experian, and TransUnion. This is stronger than a fraud alert.
Monitor healthcare activity:
Review Explanation of Benefits (EOB) statements and pharmacy records for unfamiliar services or prescriptions.
Create or secure your patient portal accounts to prevent account takeover; use unique passwords and MFA.
Get your records:
Request copies of your medical records to establish a clean baseline. Under HIPAA, you have a right to access.
Watch for targeted scams:
Be skeptical of emails, calls, or texts referencing your specific care. Verify directly with your provider via official channels.
Tax and identity safety:
Consider obtaining an IRS Identity Protection PIN to deter tax fraud: IRS IP PIN
If you notice suspicious activity:
Report to your provider, your insurer, and the Federal Trade Commission: IdentityTheft.gov

The Bigger Picture: 2026’s Healthcare Ransomware Reality

This incident reads like a composite of the last five years of ransomware evolution:

Double extortion is standard: data theft plus encryption.
RaaS lowers the barrier to entry for affiliates and scales attacks across regions and verticals.
Initial Access Brokers (IABs) sell footholds—exposed RDP, VPN creds, or exploited edge devices—turning compromise into a commodity.
Leak sites pressure victims publicly, and sample data posts lock in credibility with buyers and the media.

What’s changing in 2026: – Faster dwell-to-exfiltrate timelines: criminals are shaving days—even hours—off lateral movement with automated discovery. – Sharper targeting of PHI-rich systems: EHR, imaging archives (PACS), and billing are prime exfil targets before encryption. – Insurance recalibration: cyber insurers increasingly mandate MFA, EDR, and privileged access controls as prerequisites for coverage and better terms.

For Boards and Executives: How to Measure Readiness

Move beyond “Are we compliant?” to “Are we resilient?” Ask for quantifiable metrics:

MFA coverage across users, admins, and vendors (target: 100%)
Percentage of internet-facing systems behind Zero Trust gateways
Mean time to detect/respond (MTTD/MTTR) against ransomware simulations
Patch SLAs for critical vulnerabilities (e.g., ≤7 days for internet-facing, ≤15 days internal)
EDR/XDR deployment rate and 24/7 monitoring status
Immutable backup coverage and quarterly restore test pass rates
Privileged account count, JIT enforcement, and session recording coverage
Phishing simulation failure rate trend over the past four quarters
Tabletop exercise frequency and findings closure rate

Tie incentives to these outcomes. If you can’t measure it, you can’t manage it.

For Security Leaders: Quick Wins That Move the Needle

Block direct RDP and SMB from the internet—today.
Enforce phishing-resistant MFA for all remote and privileged access.
Deploy EDR on every endpoint and turn on automatic isolation.
Put critical systems behind an identity-aware proxy/ZTNA control.
Turn on DNS filtering and egress controls to cut command-and-control.
Shrink the blast radius: segment EHR, billing, PACS, and lab networks.
Make backups immutable and practice a bare-metal restore this quarter.

For Clinical IT and Biomed/IoMT Teams

Maintain an accurate inventory of all connected clinical devices and their patch posture (use MDS2 forms where available).
Segment and firewall legacy devices that can’t be patched; apply virtual patching and deny-by-default rules.
Disable unused services and ports; restrict outbound traffic from IoMT networks.
Coordinate with vendors for security updates; time maintenance windows based on risk, not just convenience.

Will Paying a Ransom Fix It?

Even when a ransom is paid, data may have already been sold or duplicated. Decryptors can be buggy, and paying can create sanctions and legal risks. U.S. guidance from agencies like CISA and HHS discourages payment, urging organizations to invest in prevention and recovery readiness instead.

What Happens Next

Expect: – Continued drip of disclosures as forensics define the full scope and regulators publish on the OCR breach portal. – Potential class-action filings, especially if plaintiffs allege inadequate safeguards. – Increased regulatory scrutiny on remote access, MFA coverage, and segmentation. – More healthcare-specific advisories from CISA and HHS 405(d), reinforcing ransomware defense playbooks.

The arc is predictable. The opportunity is not: organizations that use this as a catalyst to modernize identity, network segmentation, and recovery will fare far better in the next campaign.

FAQs

Q: What information was stolen in these breaches?
A: According to public reporting, stolen data includes protected health information (PHI) such as names, addresses, diagnoses, and treatment histories. Such data can enable medical identity theft, fraudulent claims, and targeted scams.

Q: Who is behind the attacks?
A: The Insomnia ransomware group, operating as ransomware-as-a-service (RaaS), claimed responsibility for at least part of the theft and posted sample data in February 2026 to substantiate its claim.

Q: Did the providers pay a ransom?
A: As of reporting, no ransom payments have been confirmed. U.S. agencies discourage paying due to legal, ethical, and operational risks.

Q: How would attackers have gotten in?
A: The likely vectors are exploited remote desktop access (RDP), phishing that captured credentials, or other known but unpatched vulnerabilities common in healthcare environments.

Q: I’m a patient—what should I do right now?
A: Enroll in offered credit monitoring, place credit freezes with the major bureaus, monitor your EOB statements, enable MFA on your patient portal, and watch for targeted phishing. Report suspected identity theft at IdentityTheft.gov.

Q: Are hospitals required to notify me?
A: Yes. Under HIPAA, covered entities must notify affected individuals without unreasonable delay and within 60 days of discovering a breach. Large breaches also require reporting to HHS/OCR and, in some cases, the media.

Q: Can I see if my provider reported the breach?
A: Check the HHS Office for Civil Rights breach portal (“Wall of Shame”) here: HHS Breach Portal.

Q: What is PHI, exactly?
A: PHI is individually identifiable health information held by covered entities and their business associates, including medical records, billing information, and any data that ties health information to a specific person.

Q: Will credit monitoring stop medical identity theft?
A: Credit monitoring helps detect financial fraud but doesn’t directly stop misuse of medical benefits. That’s why reviewing EOBs and pharmacy records is critical.

Q: Is RDP safe to use?
A: Not when exposed directly to the internet. If RDP is required, put it behind a VPN or Zero Trust access solution, enforce phishing-resistant MFA, and restrict access by device posture and network policy.

Q: Does cyber insurance cover ransomware?
A: Policies vary and often require specific controls—MFA, EDR, backups, and incident response planning. Check your policy terms and coordinate with your carrier during incidents.

Q: Where can organizations find vetted guidance?
A: Start with StopRansomware.gov, HHS 405(d) HICP, and NIST CSF 2.0.

Final Takeaway

These twin breaches are a stark reminder: ransomware is no longer a question of “if” for healthcare—it’s “how often” and “how bad.” The Insomnia-led attacks highlight the same old weak points—remote access, identity, segmentation, backups—but also offer a blueprint for defense. Shut off direct RDP. Enforce phishing-resistant MFA. Segment your crown jewels. Make backups immutable and practice restoring them. Then measure, report, and fund the gaps until resilience is your default setting.

For patients, vigilance matters: freeze your credit, monitor your benefits, and treat unsolicited messages about your care with healthy skepticism.

Healthcare’s mission is too important to leave at the mercy of extortionware. Take this moment to turn guidance into muscle memory—before the next alert becomes your headline.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!