Ransomware and data-breach disclosures across education, critical infrastructure, and healthcare
Rome’s La Sapienza University shut down network systems as a precaution after a cyberattack caused widespread disruption and left its website offline; Italian media attributed the incident to a suspected ransomware operation linked to pro-Russian actor Femwar02, with reported tradecraft resembling Bablock/Rorschach-style fast encryption. Separately, Romania’s national oil pipeline operator Conpet reported a cyberattack that disrupted corporate IT and took down www.conpet.ro while leaving OT/SCADA and pipeline transport operations unaffected; Qilin claimed responsibility, alleging theft of nearly 1TB of data and posting sample documents (including financial data and passport scans) to support extortion claims.
In the U.S., government services contractor Conduent faced expanding breach impact from its January 2025 ransomware incident, with notifications indicating exposure potentially reaching dozens of millions; reported affected data includes names, Social Security numbers, and medical/health insurance information, with at least 15.4M impacted in Texas and 10.5M in Oregon per state disclosures. Additional healthcare-sector disclosures included a ransomware-linked intrusion at Insightin Health (unauthorized access in September 2025; Medusa claimed exfiltration of 378GB) and a separate compromise at Clinic Service Corporation (August 2025 access window), while Central Ozarks Medical Center reported a criminal cyberattack affecting 11,818 individuals with exposure of PHI/PII (including SSNs and financial/insurance data). Other items in the set were not incident-specific: an HHS-OIG audit describing web application security weaknesses at a large hospital, and general guidance/education pieces on the value of medical records to attackers and CISA insider-threat guidance.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
14 events from the most recent confirmed update back to the earliest known activity.
Conduent breach totals expand to tens of millions
Updated breach figures reported in early February 2026 showed the Conduent incident affected millions more Americans than previously known, including at least 15.4 million in Texas and 10.5 million in Oregon. Notifications were ongoing, with completion planned by early 2026.
Reports attribute Sapienza attack to Femwar02 ransomware
Italian media reported the Sapienza incident was a ransomware attack attributed to pro-Russian actor Femwar02, with malware resembling Bablock or Rorschach and causing data encryption. The report said a ransom note was present but not opened to avoid triggering a 72-hour timer.
Sapienza University shuts down systems after cyberattack
Sapienza University in Rome disclosed a cyberattack that disrupted IT services and led to an immediate shutdown of network systems to protect data integrity. Authorities were notified, a technical task force was formed, and recovery began while digital services remained unavailable.
Qilin claims Conpet breach and posts proof samples
The Qilin ransomware group listed Conpet on its leak site, alleging it stole nearly 1 TB of data. It published sample images of internal documents, including financial records and passport scans, as proof of compromise.
Conpet discloses cyberattack affecting corporate IT and website
Romanian oil pipeline operator Conpet announced a cyberattack disrupted its corporate IT systems and took its public website offline, while saying pipeline transport operations and OT systems were unaffected. The company began restoration with national cybersecurity authorities and filed a criminal complaint with DIICOT.
Safeway gang claims Conduent attack and data theft
The Safeway ransomware gang claimed responsibility for the Conduent incident and alleged it stole more than 8 TB of data. Later breach notifications linked the attack to at least 15.4 million affected people in Texas and 10.5 million in Oregon, with more notifications sent in other states.
COMC discloses breach affecting nearly 12,000 patients
Central Ozarks Medical Center disclosed that a criminal cyberattack potentially exposed the personal and protected health information of 11,818 individuals. The organization offered at least 12 months of credit monitoring and identity theft protection and said it was implementing cybersecurity enhancements.
Middlesex Sheriff’s Office completes breach file review
After a January 2025 breach and multi-agency investigation, the Middlesex Sheriff’s Office completed its file review on 2025-11-19. The incident was reported to HHS OCR as affecting 501 individuals as a placeholder.
Central Ozarks Medical Center identifies possible data compromise
Central Ozarks Medical Center determined around 2025-11-10 that data may have been accessed or acquired without authorization in a criminal cyberattack affecting patient information.
Insightin Health attackers access network over six days
Forensics found unauthorized access to Insightin Health's network occurred between 2025-09-17 and 2025-09-23, exposing protected health information such as names, dates of birth, Medicare Beneficiary Identifiers, and insurance or provider-related data.
Insightin Health detects suspicious activity
Insightin Health detected suspicious activity in September 2025 and later disclosed a cyber incident involving unauthorized network access. Medusa was reported to have claimed responsibility and alleged theft of 378 GB of data.
Clinic Service Corporation detects hacking incident
Clinic Service Corporation detected the incident on 2025-08-17 and later notified regulators and offered affected individuals credit monitoring and identity theft protection.
Clinic Service Corporation network accessed in August 2025 breach
Clinic Service Corporation said unauthorized access to its systems occurred between 2025-08-10 and 2025-08-17, 2025, exposing extensive PII and PHI including diagnoses, treatment details, and insurance and claims data.
Conduent ransomware attack disrupts operations
A ransomware attack on Conduent in January 2025 caused multi-day operational outages. The company later said stolen datasets contained significant end-user personal information tied to client services.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Italian university La Sapienza goes offline after cyberattack
bleepingcomputer.com
Open sourceData breach at govtech giant Conduent balloons, affecting millions more Americans | TechCrunch
techcrunch.com
Open sourceRomanian oil pipeline operator Conpet discloses cyberattack
bleepingcomputer.com
Open sourceHealthcare Technology Company Discloses Ransomware Attack
hipaajournal.com
Open sourceCentral Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients
hipaajournal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware and Data-Theft Incidents Impacting US Healthcare and Education Organizations
The University of Hawaiʻi Cancer Center confirmed a **ransomware-driven data breach** affecting its epidemiology division, with the potential exposure of data tied to up to **1.2 million individuals**. The university reported that attackers accessed files containing **SSNs and driver’s license numbers** sourced from historical Hawaiʻi DOT records and Honolulu voter registration data (dating back to 1998), as well as health-related research data connected to the **Multiethnic Cohort (MEC) Study** and other diet-and-cancer studies; the incident was discovered on **August 31, 2025**, and the university acknowledged it engaged with the threat actors while restoration and impact assessment were underway. Separately, a “cyber incident” caused a **five-school-day internet outage** at the Denmark School District in Wisconsin; the **INC Ransom** group claimed the victim on its leak site, alleging both **encryption** and theft of roughly **70.76 GB** of data, though the district had not publicly confirmed ransomware or data exfiltration. In the healthcare sector, **Insight Hospital and Medical Center** in Chicago reported unauthorized network access between **August 22 and September 11, 2025**, and the **Termite** group later claimed to have stolen and then **leaked ~360 GB** (about 900,000 files) of “confidential data,” including medical imaging files (e.g., `.dcm`), raising the likelihood of exposure of both identity data and protected health information.
Mar 21, 2026
Ransomware and data-extortion incidents drive new breach disclosures across healthcare, aviation, and hospitality
Multiple organizations disclosed or were linked to **ransomware/data-extortion** activity with material operational or privacy impact. **Air Côte d’Ivoire** confirmed a cyberattack affecting parts of its information systems after **INC ransomware** claimed theft of **208 GB** and threatened to leak data, while the airline said it engaged the national CERT and external experts to contain impact and maintain flight operations. In the US healthcare sector, **University of Mississippi Medical Center (UMMC)** reported a ransomware incident that forced statewide clinic closures and disrupted access to **Epic** electronic medical records, prompting engagement with the **FBI** and **CISA** and use of downtime procedures to sustain patient care. Separately, **Conduent**’s earlier ransomware-linked breach continued to expand in scope, with breach notifications indicating at least **~25 million** people affected across multiple states and exposure of sensitive PII (including **SSNs** and health/insurance data). **Wynn Resorts** also confirmed an unauthorized party accessed and stole employee data after being listed by the **ShinyHunters** extortion group, with the company stating the actor claimed the data was deleted and that guest operations were not impacted. Other items in the set describe distinct, unrelated security events and broader threat research rather than the same incident: alleged data leaks involving **Burger King France** and **Wendy’s UK**; **Qilin** ransomware claims against a New York City transit union; Russian cyber operations against Ukraine’s power grid focused on intelligence collection; and a New Zealand healthcare application (**MediMap**) taken offline after apparent unauthorized access and **patient record tampering** (e.g., records marked deceased). Additional references cover threat research and trends (airline brand impersonation domains, edge-device exploitation telemetry, MuddyWater’s *Operation Olalampo*, Google Ads cloaking via **1Campaign**, freight/logistics phishing by “Diesel Vortex,” and various governance/AI/5G/quantum commentary), which provide context on the threat environment but do not substantively report on the same specific breach event.
Mar 21, 2026
Healthcare Cyber Incidents: Kettering Health Ransomware Litigation, Insightin Health GoAnywhere Breach, and Polish Hospital Disruption
Multiple healthcare-sector cyber incidents were reported, including ongoing fallout from a major U.S. provider ransomware event. **Kettering Health** continues to face escalating legal exposure from a 2025 ransomware attack attributed to **Interlock**, which allegedly stole **941 GB** of data and encrypted systems; the disruption forced shutdown of roughly **600 applications**, a temporary shift to paper workflows, and delays to care while systems (including *Epic* EHR) were restored. Dozens of patient lawsuits have been filed and consolidated in Ohio, with claims focused not only on data theft but also alleged **delayed or denied medical care** during the outage. Separately, healthcare vendor **Insightin Health** disclosed a 2025 security incident involving its use of the *GoAnywhere* managed file transfer tool, reporting that an unauthorized party accessed GoAnywhere by exploiting an **“unknown design flaw”** and potentially accessed files on a subset of servers between **Sept 17–23, 2025**; impacted data may have included names, provider names, insurance information, and member IDs (no SSNs or financial data reported). In Europe, the Independent Public Regional Hospital in **Szczecin, Poland** reported a March 2026 cyberattack that **encrypted parts of hospital data**, disrupted digital operations, and forced a temporary return to paper-based processes, while the hospital stated urgent care continued despite slower administration.
Mar 21, 2026