Data Shows Elevenfold Increase in Data-only Extortion Attacks
There has been a sharp increase in data-only extortion incidents, with ransomware gangs increasingly opting not to encrypt files, instead simply breaching networks, exfiltrating sensitive data, and demanding a ransom payment to prevent the data from being leaked or sold.
Ransomware started to become popular with threat actors in the early to mid-2010s. Attacks involved breaching networks and using robust encryption to prevent data access. The emergence of untraceable cryptocurrencies helped fuel an explosion in ransomware attacks. In the mid-2010s, encryption alone proved to be sufficient, with the majority of victims opting to pay to recover their data. By 2020, double extortionbecame more prevalent, where data is stolen prior to file encryption. A ransom payment is required to obtain the decryption keys and prevent the publication or sale of stolen data. Double extortion fast became the norm, with the majority of ransomware attacks involving data theft and extortion.
The rapid rise in ransomware attacks forced organizations to address their data backup policies. While attacks may involve deletion or encryption of backups, victims are now much more likely to have offline backup copies of critical data that they can use to recover from the encryption with minimal data loss. It is often the threat of sale or leaking of exfiltrated data that is the primary reason for paying a ransom, as organizations seek to limit reputational damage.
Data encryption increases the chances of detection, attacks take longer, and fewer victims are paying ransoms to recover encrypted data. Threat actors understand that the reputational harm caused by data leaks is often enough, and some groups have abandoned encryption altogether. For example, PEAR (Pure Extortion and Ransom), a newly formed threat group that emerged in 2025, has exclusively adopted data-only extortion, as has the Silent Ransom group.
The recently published Arctic Wolf 2026 Threat Report confirms that ransomware attacks continue to be lucrative for threat actors. Ransomware attacks accounted for 44% ofArctic Wolf’s incident response (IR) cases from November 2024 to November 2025, exactly the same percentage as the previous reporting period. While there have been significant law enforcement operations targeting the most prolific ransomware groups – LockBit, ALPHV/BlackCat, and BlackSuit – those actions have had little effect on reducing the volume of attacks, and have simply shifted the ransomware ecosystem. There has been a proliferation of smaller groups, and some groups have stepped up attack volume to fill the vacuum.
Arctic Wolf’s report highlights the growing trend of data extortion-only attacks, which increased elevenfold between November 2024 and November 2025. Data extortion-only attacks increased from 2% of Arctic Wolf’s IR cases in the previous reporting period to 22% in the current reporting period. “We’re seeing a clear pivot in attacker behavior. As organizations improve their ability to recover from encryption events, some threat actors are skipping ransomware altogether and moving straight to data theft and extortion,” said Kerri Shafer-Page, VP of Incident Response, Arctic Wolf. “From an incident response perspective, this shift fundamentally changes how impact is assessed and managed.”
Arctic Wolf said the increase in data extortion-only attacks shows that threat groups are willing and able to evolve when needed, and attributes the rise in attacks to organizations being better prepared and able to recover quickly from traditional encryption events. Arctic Wolf reports that ransomware actors are maturing their affiliate ecosystems and are now operating very much like business enterprises, with structured affiliate programs, tiered revenue models, and operational support to attract and retain a broader pool of cybercriminals.
Arctic Wolf also reports a prominent trend of diversification of ransomware-as-a-service (RaaS) offerings, where, in addition to a percentage of any ransom payments, affiliates are offered data extortion and access monetization, allowing them to profit from stolen data and compromised credentials without having to encrypt files with ransomware. For the time being, at least, Arctic Wolf has not observed any significant increase in activity from groups with these offerings. What has had an immediate impact is groups absorbing affiliates from other RaaS programs, such as Qilin, which recruited affiliates from the RansomHub operation when it shut down, and rapidly accelerated attacks and became the most prolific threat group.
Aside from ransomware, Business Email Compromise (BEC) continues to be favored by hackers, accounting for 26% of Arctic Wolf’s IR cases, although the targets were primarily finance and legal firms, rather than healthcare organizations. While phishing is the leading initial access vector for BEC attacks, other hacking incidents mostly involved attacks on remote access tools, remote monitoring and management software, and VPNs. These access vectors were used in around two-thirds of non-BEC IR cases, up from 24% three years ago. The exploitation of vulnerabilities has fallen from 26% of IR cases in the previous reporting period to just 11% in the current reporting period.
The post Data Shows Elevenfold Increase in Data-only Extortion Attacks appeared first on The HIPAA Journal.
Three Healthcare Providers Affected by Ransomware Attacks – The HIPAA Journal
Three Healthcare Providers Affected by Ransomware Attacks The HIPAA Journal
Three Healthcare Providers Affected by Ransomware Attacks
Issaqueena Pediatric Dentistry in South Carolina, Enhabit Home Health & Hospice in Texas, and AltaMed Health Services in California have announced that patient data has potentially been compromised in ransomware attacks.
Issaqueena Pediatric Dentistry, South Carolina
Issaqueena Pediatric Dentistry in Seneca, South Carolina, has recently reported a hacking incident to the HHS’ Office for Civil Rights that involved unauthorized access to personally identifiable information and protected health information. The incident is still being investigated, so the number of affected individuals has yet to be confirmed. The OCR breach portal currently lists the incident as affecting at least 501 individuals.
In a substitute breach notice on its website, Issaqueena Pediatric Dentistry confirmed that an unauthorized third party gained access to certain files on its system between November 9 and November 11, 2025. Issaqueena Pediatric Dentistry discovered the intrusion on November 11, 2025, when ransomware was used to encrypt files. Its incident response protocols were activated, steps were taken to contain the incident, and law enforcement was notified.
Issaqueena Pediatric Dentistry said files are being reviewed to determine the affected individual and the types of data involved, warning that it is a time-intensive process. Notification letters will be mailed to the affected individuals as soon as possible. The Interlock ransomware group claimed responsibility for the attack, said it exfiltrated 118 GB of data, and listed the data for download on its dark web data leak site, which suggests the ransom was not paid.
Issaqueena Pediatric Dentistry said its network has been secured, and it is working with third-party security experts to implement measures to harden security. Issaqueena Pediatric Dentistry has confirmed that the affected individuals will be offered complimentary credit monitoring and identity theft protection services.
Advanced Homecare Management (Enhabit Home Health & Hospice), Texas
Advanced Homecare Management, LLC, doing business as Enhabit Home Health & Hospice in Dallas, Texas, has notified 22,552 patients that some of their protected health information was compromised in a data breach at one of its business associates.
My 485, Inc., which does business as Doctor Alliance, provides a platform that facilitates the sharing of medical information between doctors and home health agencies and hospices. Enhabit Home Health & Hospice said one or more medical providers may have used the Doctor Alliance platform to facilitate care at entities affiliated with Enhabit, and the platform contained patients’ protected health information.
On December 5, 2025, Doctor Alliance informed Enhabit about a potential security incident involving the data of certain Enhabit patients. Doctor Alliance determined that the platform was subject to unauthorized access between October 31, 2025, and November 6, 2025, and again between November 14, 2025, and November 17, 2025. The platform was accessed by an unauthorized individual using valid credentials for a user account, which allowed access to protected health information such as names, addresses, dates of birth, patients’ gender, physician names, medical record numbers, clinical information, and health plan numbers. Enhabit said financial information and Social Security numbers were not compromised in the incident.
Doctor Alliance has implemented additional authentication mechanisms in the affected software and has notified regulators about the breach. The incident is not yet shown on the OCR breach portal, so the scale of the breach is currently unknown. This appears to have been a ransomware attack. The Kazu ransomware group claimed responsibility.
AltaMed Health Services Corporation, California
AltaMed Health Services Corporation, a provider of primary care, senior care, and health and human services in California, has alerted patients about a cybersecurity incident on December 14, 2025. The incident limited access to some of its computer systems; language often used to describe a ransomware attack.
AltaMed said it immediately initiated its incident response protocols when the cyberattack was detected and worked quickly to contain the incident. Third-party cybersecurity experts were engaged to assist with the investigation, and law enforcement was notified. Under its emergency protocols, AltaMed continued to provide care to patients as scheduled and remained operational throughout the recovery.
The investigation into the incident is ongoing; however, it has been determined that the compromised systems contained some patient information, including names, dates of service, and payment information. Additional safeguards and technical security measures have been implemented to further protect and monitor its systems. The affected individuals have been advised to review their statements and explanation of benefits statements and should report any charges for services that they have not received. Regulators have been notified; however, the incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
The post Three Healthcare Providers Affected by Ransomware Attacks appeared first on The HIPAA Journal.
HIPAA sets Mar 1 deadline for small data breach reporting – Medical Buyer
Healthcare Webinar Alert from OneZero Solutions – Florida Hospital News and Healthcare Report
Healthcare Webinar Alert from OneZero Solutions Florida Hospital News and Healthcare Report
HIPAA authorization requires more than a cookie banner – Madison County Record
HIPAA authorization requires more than a cookie banner Madison County Record
HIPAA authorization requires more than a cookie banner – KMVU FOX 26 Medford
HIPAA authorization requires more than a cookie banner KMVU FOX 26 Medford
HIPAA authorization requires more than a cookie banner – News-Press NOW
HIPAA authorization requires more than a cookie banner News-Press NOW