Two American cybersecurity professionals who signed up as affiliates for a ransomware group have each been sentenced to four years in prison. The third co-conspirator has yet to be sentenced and will learn his fate on July 9, 2026. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, along with co-conspirator Angelo Martino, 41, of Florida, had signed up to work as affiliates of the BlackCat ransomware group between April 2023 and December 2023. Under that arrangement, they received 80% of any ransoms they generated, and paid the remaining 20% share to the BlackCat ransomware group in exchange for access to the ransomware encryptor and supporting infrastructure.

Goldberg and Martin worked in cybersecurity and had the necessary skills and experience to secure computer systems against ransomware attacks, yet they chose to use their skills to inflict harm for financial gain. While a four-year jail term is no walk in the park, Goldberg and Martin can consider themselves fortunate, as they, along with co-conspirator Martino, faced up to 20 years in jail.

“The court’s sentences today reflect the damage that these defendants inflicted during their cyberattacks on victim companies throughout the United States,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “They harmed important firms who were providing medical and engineering services. They played hardball with them, going so far as to cause the leak of patient data from a doctor’s office victim. They also split the ransoms they were paid, and laundered the illicit proceeds. These were supposed to be cybersecurity specialists who did good and helped businesses and people. Instead, they used their high-level cyber skills to feed their greed. Ransomware attackers like this should be punished and removed from society to serve their lawful sentences so they cannot harm others.”

Martino is due to be sentenced in July. In addition to conspiring with Goldberg and Martin to attack companies with ransomware, Martino simultaneously worked as a ransomware negotiator while partnering with the ransomware group, sharing confidential information gained through his legitimate employment to maximize ransom payments.

April 22, 2026: Ransomware Negotiator Pleads Guilty to Conducting U.S. Ransomware Attacks

The third ransomware negotiator indicted for his role in conducting BlackCat ransomware attacks on U.S. companies in 2023 has entered a guilty plea. Angelo Martino, 41, of Land O’Lakes in Florida, worked as a ransomware negotiator for the cyber threat intelligence and incident response firm DigitalMint. Unbeknownst to his employer, Martino was working for both sides, dealing with ransomware groups on behalf of DigitalMint clients who had been attacked by ransomware groups, while simultaneously collaborating with the BlackCat ransomware group responsible for the attacks.

According to the U.S. Department of Justice, Martino negotiated on behalf of five ransomware victims and provided the BlackCat ransomware group with confidential information about his clients’ negotiating positions and strategies, without the knowledge or permission of his employer. Information passed to the ransomware group by Martino included details about the clients’ insurance policy limits and negotiating positions, allowing the ransomware group to maximize the ransom payments. Martino was alleged to have been compensated financially for providing the information.

“Ransomware victims turned to [Martino] for help, and he sold them out from the inside,” said U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. “As he admitted in court, he abused his position at a cyber incident response company to feed confidential information to BlackCat actors, helping them maximize ransom payments from American victims. He then went further, joining the conspiracy himself to deploy ransomware and profit from extortion.”

Martino pleaded guilty to one count of conspiracy to obstruct, delay, or affect commerce or the movement of any article or commodity in commerce by extortion. Martino’s co-conspirators, Ryan Goldberg and Kevin Martin, were charged under a separate indictment and have already entered guilty pleas. Martin was also employed by DigitalMint as a ransomware negotiator, and Goldberg was employed by the cybersecurity firm Sygnia as an incident responder. Goldberg and Martin are scheduled to be sentenced on April 30, 2026, and Martino is due to be sentenced on July 9, 2026. All three men face up to 20 years in jail.

March 12, 2026: Third Ransomware Negotiator Charged Over Involvement with BlackCat Ransomware Group

Another former employee of DigitalMint has been accused of involvement with the ALPHV/Blackcat ransomware group while working as a ransomware negotiator for the Chicago-based cyber threat intelligence and incident response company.

As previously reported below, the U.S. Department of Justice had previously indicted two individuals for their role in ALPHV/BlackCat ransomware attacks – Former DigitalMint employee Kevin Tyler Martin and former Sygnia incident response manager Ryan Goldberg. Both have entered guilty pleas. Angelo John Martino III, 41, of Land O’ Lakes in South Florida, was included in the October 2025 indictment of Martin and Goldberg but was only identified as co-conspirator 1. His indictment has recently been unsealed.

According to the indictment, while working as ransomware negotiators for legitimate firms, all three defendants are alleged to have also been working with the ALPHV/Blackcat ransomware group. Martino is alleged to have conspired with defendants Martin and Goldberg and other unknown individuals to conduct ransomware attacks on U.S companies, including a non-profit, medical company, a medical device manufacturer, a California doctor’s office, and a pharmaceutical company.

According to the indictment, Martino provided information gained from his work as a ransomware negotiator to ALPHV/BlackCat co-conspirators to maximize ransom payments. The trio also engaged in attacks as ALPHV/BlackCat affiliates, deploying ransomware.

Across the 10 attacks included in the indictment, six resulted in ransom payments totaling more than $75.25 million, including two payments of more than $25 million. As affiliates, Martino and his co-conspirators are alleged to have paid 20% of the ransom payments to the administrators of the ransomware group.

According to the indictment, five of the companies that Martino was involved with attacking engaged DigitalMint to assist with ransom negotiations. DigitalMint assigned each of those negotiations to Martino. Martino was therefore negotiating on behalf of the companies he had attacked and the ransomware group he was working with. All five of the victims ended up paying the ransoms.

DigitalMint was unaware that Martino was working with the ALPHV/BlackCat ransomware group, and suspended Martino’s access to its systems when notified by the Department of Justice of the investigation and fired him the following day. Prior to being notified by the Department of Justice, DigitalMint was unaware that Martino and Martin were involved with the ALPHV/BlackCat ransomware group. DigitalMint has not been accused of any wrongdoing.

“We strongly condemn these former employees’ criminal behavior, which violated our values, ethical standards and the law,” said DigitalMint CEO Jonathan Solomon in a statement. “DigitalMint has fully cooperated with law enforcement from the outset and does not expect further charges. While no organization can completely eliminate insider risk, we take incidents like this extremely seriously and have strengthened safeguards and internal controls to further reduce the likelihood of similar conduct.”

Martino has been charged with conspiracy to interfere with commerce by extortion and faces up to 20 years in jail. Assets have been seized, including properties and vehicles, along with almost $9.2 million in cryptocurrency. Martino is scheduled to enter a plea on March 19, 2026, and has been released on a $500,000 bond. He has been prohibited from leaving the Southern District of Florida and is not permitted to work in the cybersecurity industry.

November 4, 2025: U.S. Nationals Indicted for BlackCat Ransomware Attacks on Healthcare Organizations

Two U.S. nationals have recently been indicted for using BlackCat ransomware to attack targets in the United States. A third individual is suspected of involvement but was not included in the indictment. All three individuals worked at cybersecurity companies and conducted the attacks while they were employed there.

Ryan Clifford Goldberg was employed by the cybersecurity firm Sygnia as an incident response professional, and Kevin Tyler Martin and an unnamed co-conspirator were both employed by the Chicago-based cyber threat intelligence and incident response firm DigitalMint as ransomware threat negotiators.

The two indicted individuals are alleged to have engaged in a conspiracy to enrich themselves by breaching company networks, stealing their data, using ransomware to encrypt files, and extorting the companies to obtain cryptocurrency payments. A medical device company was attacked on or around May 13, 2023, resulting in a $10 million ransom demand.  The medical device company negotiated and paid a $1,274,000 ransom payment.

A pharmaceutical company was also attacked in May 2023, but the ransom demand was not disclosed. Then came a July 2023 attack on a doctor’s office in California, which included a $5,000,000 ransom demand. In October 2023, an engineering company was attacked and told to pay $1 million, then in November 2023, a drone manufacturer in Virginia was attacked, and the defendants allegedly demanded a $300,000 ransom payment. Only the medical device company paid the ransom.

Kevin Tyler Martin, who resides in Texas, was employed as a ransomware negotiator by DigitalMint between May 2023 and April 2025, where the unnamed Florida-based co-conspirator also worked. Both individuals are thought to have been rogue employees and have been fired by DigitalMint, which has been cooperating with the law enforcement operation. Ryan Clifford Goldberg was employed as an incident response manager at Sygnia Cybersecurity Services at the time of the attacks, but no longer works for the company.

There are no indications that either company was aware of the attacks, which were conducted outside of their infrastructure and systems. DigitalMint said client data was not compromised in the incident, and no one alleged to have been involved in the scheme has worked for the company in over four months.

The FBI raided the home of the unnamed co-conspirator in April 2025, and Goldberg was interviewed by the FBI the following month, initially denying involvement in the scheme. Goldberg later claimed to have been recruited by the unnamed co-conspirator and said he conducted the attacks to get out of debt. He claims that, along with the other two members of the scheme, he received payment of $200,000 for the attack. Martin denies any involvement in the scheme.

Martin and Goldberg were indicted on October 2, 2025, on charges of conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce, and intentional damage to a protected computer. Martin has been released on a $400,000 bond and is prohibited from working in cybersecurity before the trial.

Goldberg is being held pending trial as he is considered a flight risk. Goldberg booked a one-way flight from Atlanta to Paris in June and traveled with his wife. He remained in France until September 21. Goldberg flew from Amsterdam to Mexico City and was arrested when he landed and deported to the United States. If found guilty, Martin and Goldberg face up to 50 years in jail.

The post American Cybersecurity Professionals Given Jail Terms for BlackCat Ransomware Attacks appeared first on The HIPAA Journal.

Therapeutic Health Services, a Seattle, WA-based provider of opioid addiction treatment, mental health counseling, and rehabilitation for alcohol and drug addiction recovery, has agreed to settle class action litigation over a February 2024 hacking incident that exposed the protected health information of more than 14,000 patients.

The incident was detected on February 26, 2024, and the investigation confirmed that patients’ names, dates of birth, Social Security numbers, and health information were compromised in the incident. The Hunters International threat group claimed responsibility for the cyberattack. Four class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – Kersey, et al., v. Therapeutic Health Services – in the Superior Court of the State of Washington, King County.

The lawsuit alleged that Therapeutic Health Services failed to implement appropriate safeguards to protect sensitive data on its network, resulting in the exposure and theft of the sensitive information of current and former patients and employees. Therapeutic Health Services maintains that there was no wrongdoing and denies all allegations and all liability, does not believe that the class members suffered any damage, nor that the action satisfies the requirements to be certified or tried as a class action lawsuit. After determining that the litigation would likely be protracted and expensive, the decision was taken to settle the litigation. The plaintiffs believe that the settlement that has been negotiated is fair and in the best interests of all class members.

Under the terms of the settlement, Therapeutic Health Services has agreed to establish a $790,000 settlement fund to cover attorneys’ fees and expenses, service awards, settlement administration costs, and class members’ claims. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may be submitted for a cash payment of up to $100, which may be adjusted pro rata depending on the number of valid claims received. All class members may also claim three years of three-bureau credit monitoring services.

Claims must be submitted by January 13, 2026, and the final fairness hearing has been scheduled for January 23, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by December 15, 2025.  Further information can be found on the settlement website, https://www.thsdatasettlement.com/

The post Therapeutic Health Services Pays $790K to Resolve Class Action Data Breach Litigation appeared first on The HIPAA Journal.