Qilin Ransomware Claims Against Georgia Organizations
The Qilin ransomware operation claimed responsibility for compromising the Augusta Housing Authority (AHA) in Georgia and published sample files allegedly stolen from the agency, including internal correspondence, financial/expense documents, and spreadsheets containing sensitive personal information (e.g., utility reimbursement recipient data and employee benefits deductions). AHA had not publicly confirmed the intrusion, but reported ongoing efforts to restore website functionality amid access issues; reporting also notes Qilin’s high operational tempo in early 2026, with numerous claimed victims across sectors.
Separately, a Georgia-based healthcare provider group, ApolloMD, reported to U.S. regulators that a 2025 intrusion exposed data for 626,540 individuals, including SSNs and medical/insurance information; ApolloMD said attackers accessed its IT environment over a short window in May 2025, and Qilin publicly claimed the attack in June 2025. A third report about Conduent’s 2025 ransomware incident (impact estimates rising to ~25 million) describes a different victim and event and is not part of the Qilin/Georgia victim reporting described above.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Qilin leaks sample data allegedly stolen from Augusta Housing Authority
Qilin published four sample datasets it said were taken from the Augusta Housing Authority, including tax-related correspondence, a December 2025 utility reimbursement report, a 2023 expense sheet, and employee benefits payroll information. Cybernews researchers said the samples contained sensitive data.
Augusta Housing Authority reports website access issues
The Augusta Housing Authority said it was working to restore website functionality amid access issues, around the time Qilin alleged it had compromised the organization. The authority had not publicly acknowledged the ransomware gang's breach claim.
ApolloMD files updated breach report showing 626,540 victims
ApolloMD submitted a subsequent filing to the U.S. Department of Health and Human Services reporting that 626,540 people were affected by the 2025 attack. This updated federal disclosure provided the full victim count after the company's earlier September notification.
ApolloMD notifies affected individuals of breach
ApolloMD initially disclosed the incident and notified affected individuals in September 2025. At that stage, the company said the May attack had compromised sensitive personal and protected health information.
Qilin claims responsibility for ApolloMD attack
In June 2025, the Qilin ransomware gang claimed the cyberattack against ApolloMD. The group was later linked in reporting to the theft of sensitive patient data from the healthcare company.
Qilin breaches ApolloMD systems
ApolloMD said attackers were present in its IT environment between 2025-05-22 and 2025-05-23, accessing patient-related information tied to ApolloMD-affiliated physicians and practices. The exposed data included personal and medical information, health insurance data, and Social Security numbers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Toll of Georgia health firm hack exceeds 620K | SC Media
scworld.com
Open sourceQilin admits Georgia housing authority breach, leaks files | SC Media
scworld.com
Open sourceGeorgia healthcare company data breach impacts more than 620,000 | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Qilin Ransomware Attacks on North American Organizations
The Qilin ransomware gang has claimed responsibility for significant cyberattacks against major North American organizations, including Canadian electrical services provider Spark Power and U.S.-based recruitment firm Cornerstone Staffing Solutions. In the Spark Power incident, Qilin alleges the theft of 222 GB of data, potentially including operational files, financial records, and employee personal information, with researchers warning of possible operational disruptions if systems are locked. For Cornerstone Staffing Solutions, Qilin claims to have exfiltrated 300 GB of sensitive data, including nearly 1 million files with resumes, personal records, Social Security numbers, and internal financial documents, with sample files leaked to substantiate the breach. Qilin has emerged as one of the most prolific ransomware operations, reportedly targeting nearly 1,000 organizations since 2023 and over 500 in the past six months alone. The group’s attacks have resulted in the exposure of sensitive employee and business data, raising concerns about the operational and reputational impact on affected organizations. These incidents highlight the ongoing threat posed by ransomware groups to critical infrastructure and service providers across North America.
Mar 21, 2026
Qilin Ransomware's Surge and High-Profile Attacks on Global Organizations
The Qilin ransomware group has emerged as one of the most prolific ransomware operations, claiming responsibility for over 500 attacks in the past six months and targeting major organizations worldwide. Notably, Qilin has allegedly stolen 10 GB of data from International Game Technology (IGT), a multinational provider in the gaming and fintech sectors, with over 21,000 files reportedly exfiltrated. The group has also targeted other high-profile victims, including Cornerstone Staffing Solutions, Spark Power, and Habib Bank AG Zurich, and is known to collaborate with other ransomware operations such as DragonForce and LockBit. Qilin, along with Akira and INC, accounted for 65% of ransomware attacks in Q3 2025, with a significant portion of these incidents facilitated by compromised VPN credentials. Ransomware activity has seen a marked increase globally, with leak posts rising by 11% over the previous quarter and a surge in attacks reported in October. Attackers are increasingly exploiting vulnerabilities in VPNs and external services, and the prevalence of zero-day vulnerabilities has also grown, with notable bugs affecting Citrix NetScaler, CrushFTP, and Microsoft SharePoint. Security experts recommend organizations implement multi-factor authentication and strengthen vulnerability management practices to mitigate the escalating ransomware threat landscape.
Mar 21, 2026
Ransomware and data-breach disclosures across education, critical infrastructure, and healthcare
Rome’s **La Sapienza University** shut down network systems as a precaution after a cyberattack caused widespread disruption and left its website offline; Italian media attributed the incident to a suspected ransomware operation linked to pro-Russian actor **Femwar02**, with reported tradecraft resembling **Bablock/Rorschach**-style fast encryption. Separately, Romania’s national oil pipeline operator **Conpet** reported a cyberattack that disrupted corporate IT and took down `www.conpet.ro` while leaving **OT/SCADA** and pipeline transport operations unaffected; **Qilin** claimed responsibility, alleging theft of nearly **1TB** of data and posting sample documents (including financial data and passport scans) to support extortion claims. In the U.S., government services contractor **Conduent** faced expanding breach impact from its January 2025 ransomware incident, with notifications indicating exposure potentially reaching **dozens of millions**; reported affected data includes **names, Social Security numbers, and medical/health insurance information**, with at least **15.4M** impacted in Texas and **10.5M** in Oregon per state disclosures. Additional healthcare-sector disclosures included a ransomware-linked intrusion at **Insightin Health** (unauthorized access in September 2025; **Medusa** claimed exfiltration of **378GB**) and a separate compromise at **Clinic Service Corporation** (August 2025 access window), while **Central Ozarks Medical Center** reported a criminal cyberattack affecting **11,818** individuals with exposure of PHI/PII (including SSNs and financial/insurance data). Other items in the set were not incident-specific: an **HHS-OIG** audit describing web application security weaknesses at a large hospital, and general guidance/education pieces on the value of medical records to attackers and **CISA** insider-threat guidance.
Mar 21, 2026