Empty hospital corridor with fluorescent lighting and medical equipment

TL;DR:

  • What happened: On May 16, 2026, the DragonForce ransomware group claimed responsibility for breaching AdvancedHEALTH, a healthcare network operating over 550 providers across Tennessee. They say they exfiltrated 390 GB of data containing 2.3 million lines of patient information. [1][2]
  • Children’s data: The stolen data reportedly includes 83,162 records belonging to minors. Medical records of children (diagnoses, prescriptions, insurance details, family information) now sitting on a ransomware group’s leak site. [1][3]
  • The extortion tactic: DragonForce isn’t dumping everything at once. They’re publishing 1,000 lines of patient data per day until AdvancedHEALTH pays or a buyer emerges. It’s slow-drip extortion, a pressure campaign designed to maximize panic and media coverage. [1][2]
  • Legal action: Class-action attorneys at Bryson Harris Suciu & DeMay PLLC are already investigating. At least one affiliated clinic has notified patients. AdvancedHEALTH has not officially confirmed the breach. [3]
  • The pattern: DragonForce has claimed 167 attacks in 2026 so far, with 14 confirmed by targeted organizations. Healthcare is their primary hunting ground. [4]

390 Gigabytes of Patient Data

DragonForce posted to its leak site on May 16, 2026, claiming it had stolen 390 GB from AdvancedHEALTH’s systems. The haul, according to screenshots the group provided as evidence, includes: [1][2]

  • 2.3 million lines of patient data: names, diagnoses, prescriptions, insurance information
  • 83,162 records belonging to minors
  • Partner agreements and contracts
  • Management files
  • Payroll and HR records for employees

AdvancedHEALTH operates a network of over 550 healthcare providers across Tennessee. That’s not a single clinic. That’s a sprawling network where a breach at the corporate level can expose patients across hundreds of facilities. [3]

The company hasn’t confirmed the breach publicly. But at least one affiliated clinic has already started notifying patients that their data may have been compromised. [3]

The Slow Drip: 1,000 Lines Per Day

DragonForce didn’t just threaten to dump the data. They set up a schedule.

One thousand lines of patient data, published daily, until AdvancedHEALTH pays or a buyer takes the whole package. Each day, more names, more diagnoses, more prescriptions appear on a publicly accessible leak site. [1][2]

This is slow-drip extortion, and it’s becoming the new ransomware playbook. Traditional double extortion (encrypt systems, threaten to leak) gives the victim a binary choice: pay or don’t. Slow-drip extortion applies escalating pressure. Every day the victim delays, more data becomes public. Media outlets pick it up. Patients start calling. Lawyers start filing. The cost of not paying compounds daily.

For healthcare providers, this is particularly brutal. Medical data doesn’t expire. A credit card number can be replaced. A child’s mental health diagnosis, prescription history, or genetic information follows them forever.

83,000 Children’s Records

The 83,162 minors’ records deserve separate attention.

Children can’t monitor their own credit. They can’t check if someone has opened accounts in their name. Most parents don’t freeze their kids’ credit because they don’t know it’s possible. Medical identity theft against children often goes undetected for years, sometimes until the child turns 18 and applies for their first credit card or student loan. [1]

A stolen medical record for a child typically includes:

  • Full name, date of birth, Social Security number
  • Parent/guardian information and contact details
  • Insurance policy numbers and group IDs
  • Medical history, diagnoses, medications
  • Vaccination records

That’s everything a fraudster needs to open credit accounts, file false insurance claims, or build a synthetic identity. And because it’s a child’s record, nobody’s checking.

DragonForce’s 2026 Campaign

DragonForce isn’t new to healthcare. The group has been one of the most active ransomware operations in 2026, claiming 167 attacks so far this year, with 14 confirmed by the targeted organizations. Healthcare is their most frequent target. [4]

Their recent healthcare hits include:

  • Health Management Systems (Australia): Attacked in March 2026 with a similar data exfiltration and extortion pattern [5]
  • AdvancedHEALTH (US): The current attack, May 16, 2026

The group uses what security researchers call “data-only extortion,” stealing data without necessarily encrypting systems. The HIPAA Journal reported an elevenfold increase in data-only extortion attacks in 2026, making it the fastest-growing ransomware tactic in healthcare. [6]

The logic is simple: encrypting a hospital’s systems creates an immediate crisis that forces a rapid decision. Stealing data and leaking it slowly creates a prolonged crisis that gives the victim time to panic, consult lawyers, calculate costs, and often conclude that paying is cheaper than the alternative.

HIPAA Is Watching, Eventually

Under HIPAA’s Breach Notification Rule, if a ransomware group steals personal health information, the covered entity must notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media. For breaches affecting more than 500 individuals, notification must happen within 60 days of discovery. [7]

The clock is ticking for AdvancedHEALTH. If the breach is confirmed (and with data actively being published on a leak site, it’s hard to argue it isn’t) they’re obligated to notify potentially hundreds of thousands of patients across their 550-provider network.

HHS hasn’t been idle on ransomware enforcement. In April 2026, the Office for Civil Rights settled with four healthcare entities following ransomware investigations, signaling that “we got ransomwared” is not a HIPAA defense. [7]

Meanwhile, Bryson Harris Suciu & DeMay PLLC is already seeking current and former patients and employees for a potential class-action lawsuit. The firm is investigating whether AdvancedHEALTH failed to implement adequate security measures. [3]

Healthcare Under Siege in 2026

AdvancedHEALTH isn’t an isolated incident. It is one more chapter in the wider healthcare ransomware epidemic. Healthcare has been getting hammered all year:

  • From January to March 2026 alone, researchers at Comparitech logged 81 attacks on healthcare businesses and 120 attacks on hospitals, clinics, and other providers [4]
  • Healthcare was the most targeted sector in March 2026, with 18 attacks in a single month [4]
  • The Medtronic breach earlier this year exposed 9 million records from a medical device maker
  • Data-only extortion attacks (steal without encrypting) increased elevenfold, according to the HIPAA Journal [6]

The shift toward data-only extortion is particularly dangerous because it removes the one forcing function that made organizations take ransomware seriously: the inability to operate. When systems go down, hospitals divert ambulances and cancel surgeries. That creates urgency. When data is stolen quietly and leaked slowly, the crisis is invisible until it’s on a leak site.

What You Can Do

If you’re an AdvancedHEALTH patient (or your child is):

  • Freeze your child’s credit. Contact Equifax, Experian, and TransUnion to place a credit freeze on your child’s Social Security number. It’s free and it’s the single most effective defense against identity theft using stolen minor records
  • Monitor your own credit. Place fraud alerts and review your credit reports at annualcreditreport.com
  • Watch for medical identity theft. Review Explanation of Benefits statements from your insurer. If you see services you didn’t receive, someone is using your medical identity
  • Document everything. If you receive a breach notification, save it. If you file a class-action claim, you’ll need it
  • Contact the attorneys. If you believe your data was compromised, class-action attorneys at ClassAction.org are actively investigating [3]

For everyone else:

  • Freeze your kids’ credit now. Don’t wait for a breach notification. Children’s SSNs are the most valuable targets in healthcare breaches because they go unmonitored for years
  • Ask your healthcare provider about their security. Do they encrypt data at rest? Do they have a breach response plan? If they can’t answer, that tells you something
  • Assume your medical data has been compromised. Between the Change Healthcare catastrophe in 2024, the Medtronic breach, and now AdvancedHEALTH, the odds that your healthcare data is somewhere it shouldn’t be are uncomfortably high

Sources

  1. TechRepublic: AdvancedHEALTH Ransomware Claim Includes 2.3M Patient Data Lines (May 2026)
  2. DeXpose: DragonForce Strikes AdvancedHEALTH in Ransomware Attack (May 16, 2026)
  3. ClassAction.org: Possible AdvancedHEALTH Data Breach; Attorneys Investigating (May 2026)
  4. Comparitech: Healthcare Ransomware Roundup: Q1 2026 Stats on Attacks, Ransoms, and Data Breaches (2026)
  5. DeXpose: DragonForce Strikes Health Management Systems in Australia (March 2026)
  6. HIPAA Journal: Report Reveals Elevenfold Increase in Data-only Extortion Attacks (2026)
  7. HHS: Fact Sheet: Ransomware and HIPAA (Updated 2026)