Ransomware and data-extortion incidents drive new breach disclosures across healthcare, aviation, and hospitality
Multiple organizations disclosed or were linked to ransomware/data-extortion activity with material operational or privacy impact. Air Côte d’Ivoire confirmed a cyberattack affecting parts of its information systems after INC ransomware claimed theft of 208 GB and threatened to leak data, while the airline said it engaged the national CERT and external experts to contain impact and maintain flight operations. In the US healthcare sector, University of Mississippi Medical Center (UMMC) reported a ransomware incident that forced statewide clinic closures and disrupted access to Epic electronic medical records, prompting engagement with the FBI and CISA and use of downtime procedures to sustain patient care. Separately, Conduent’s earlier ransomware-linked breach continued to expand in scope, with breach notifications indicating at least ~25 million people affected across multiple states and exposure of sensitive PII (including SSNs and health/insurance data). Wynn Resorts also confirmed an unauthorized party accessed and stole employee data after being listed by the ShinyHunters extortion group, with the company stating the actor claimed the data was deleted and that guest operations were not impacted.
Other items in the set describe distinct, unrelated security events and broader threat research rather than the same incident: alleged data leaks involving Burger King France and Wendy’s UK; Qilin ransomware claims against a New York City transit union; Russian cyber operations against Ukraine’s power grid focused on intelligence collection; and a New Zealand healthcare application (MediMap) taken offline after apparent unauthorized access and patient record tampering (e.g., records marked deceased). Additional references cover threat research and trends (airline brand impersonation domains, edge-device exploitation telemetry, MuddyWater’s Operation Olalampo, Google Ads cloaking via 1Campaign, freight/logistics phishing by “Diesel Vortex,” and various governance/AI/5G/quantum commentary), which provide context on the threat environment but do not substantively report on the same specific breach event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Air Côte d’Ivoire publicly discloses cyberattack
Air Côte d’Ivoire publicly confirmed the cyberattack and said it was working with national incident responders and technical specialists. The airline emphasized that flight safety and operational continuity were being maintained.
Conduent breach tally grows to at least 25 million people
State breach notifications and reporting indicated that the Conduent incident affected at least 25 million people, with the largest impacts reported in Oregon and Texas. Exposed data included Social Security numbers and medical or health insurance information.
Wynn Resorts confirms employee data theft after extortion threat
Wynn Resorts confirmed that an unauthorized party stole certain employee data and said it had launched an investigation with outside cybersecurity experts. The company said guest operations and physical properties were not affected and that the attackers claimed the stolen data had been deleted.
INC ransomware claims Air Côte d’Ivoire theft and sets leak deadline
The INC ransomware operation claimed it stole 208 GB of data from Air Côte d’Ivoire and threatened to publish it by February 24, 2026. This public claim preceded the airline’s disclosure of the incident.
Wynn Resorts appears on ShinyHunters leak site with extortion deadline
ShinyHunters posted Wynn Resorts on its leak site, claiming to have stolen more than 800,000 employee records containing personal information and demanding contact by February 23, 2026. The post was later removed, suggesting possible negotiations or a disputed claim.
UMMC closes statewide clinics and activates emergency response
Following the attack, UMMC shut down all statewide clinic locations, canceled outpatient surgeries, procedures, and imaging appointments, and activated its Emergency Operations Plan. Hospital services continued under downtime procedures while the network was proactively taken offline for assessment.
UMMC ransomware attack disrupts IT and medical records access
A ransomware attack hit the University of Mississippi Medical Center, disrupting multiple IT systems including Epic electronic medical records. The incident prevented normal access to records and affected clinical operations across the organization.
Air Côte d’Ivoire systems are compromised in cyberattack
Air Côte d’Ivoire said parts of its information systems were compromised in a cyberattack earlier in February 2026. The airline engaged Côte d’Ivoire’s CERT and technical experts while maintaining that flight operations remained stable.
Conduent publishes hard-to-find incident notice page
In October 2025, Conduent published an incident notice page about the breach, but the page reportedly did not explicitly mention a cybersecurity incident and included a noindex tag that made it harder to discover via search engines.
Conduent suffers ransomware attack tied to later data breach
Conduent was hit by a cyberattack in January 2025 that was later claimed by a ransomware group. The incident ultimately led to the exposure of sensitive personal data processed for U.S. state benefit and related services.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Cyberattack disclosed by Air Cte d’Ivoire after INC ransomware claims | SC Media
scworld.com
Open sourceConduent data breach grows, affecting at least 25M people | TechCrunch
techcrunch.com
Open sourceWynn Resorts confirms employee data breach after extortion threat
bleepingcomputer.com
Open sourceRansomware attack forces University of Mississippi Medical Center to close clinics | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware and data-breach disclosures across education, critical infrastructure, and healthcare
Rome’s **La Sapienza University** shut down network systems as a precaution after a cyberattack caused widespread disruption and left its website offline; Italian media attributed the incident to a suspected ransomware operation linked to pro-Russian actor **Femwar02**, with reported tradecraft resembling **Bablock/Rorschach**-style fast encryption. Separately, Romania’s national oil pipeline operator **Conpet** reported a cyberattack that disrupted corporate IT and took down `www.conpet.ro` while leaving **OT/SCADA** and pipeline transport operations unaffected; **Qilin** claimed responsibility, alleging theft of nearly **1TB** of data and posting sample documents (including financial data and passport scans) to support extortion claims. In the U.S., government services contractor **Conduent** faced expanding breach impact from its January 2025 ransomware incident, with notifications indicating exposure potentially reaching **dozens of millions**; reported affected data includes **names, Social Security numbers, and medical/health insurance information**, with at least **15.4M** impacted in Texas and **10.5M** in Oregon per state disclosures. Additional healthcare-sector disclosures included a ransomware-linked intrusion at **Insightin Health** (unauthorized access in September 2025; **Medusa** claimed exfiltration of **378GB**) and a separate compromise at **Clinic Service Corporation** (August 2025 access window), while **Central Ozarks Medical Center** reported a criminal cyberattack affecting **11,818** individuals with exposure of PHI/PII (including SSNs and financial/insurance data). Other items in the set were not incident-specific: an **HHS-OIG** audit describing web application security weaknesses at a large hospital, and general guidance/education pieces on the value of medical records to attackers and **CISA** insider-threat guidance.
Mar 21, 2026
Ransomware and data-extortion activity escalates, highlighted by Conduent’s expanded breach impact and new tooling by World Leaks
Reporting and research indicate **ransomware/data-extortion activity remained elevated through 2025 into early 2026**, with threat actors increasingly emphasizing **data theft, public pressure, and supply-chain leverage** rather than encryption alone. Cyble’s threat landscape findings cited by TechRepublic put 2025 at **6,604 recorded ransomware attacks** (up **52% YoY**), with **731 attacks in December** and **2,000+ claims in the last three months of 2025**; the same reporting also notes **supply-chain attacks nearly doubled**, increasing the potential blast radius when service providers are hit. A major example is *Conduent*, where the **January 2025 ransomware attack** is now assessed to have impacted **~25 million Americans** (up from an initial **10 million**), with reporting describing **~8TB of data** stolen including **Social Security numbers and medical data**, alongside days of operational disruption. Separately, Accenture-linked research reported that the **World Leaks** extortion operation added a custom Rust-based tool, **`RustyRocket`**, described as a stealthy **data-exfiltration and proxy** capability using obfuscated, multi-layer encrypted tunnels and a runtime “guardrail” requiring a pre-encrypted configuration—features intended to make detection and monitoring difficult. Broader ecosystem reporting also highlights how **data leak sites (DLSs)** and “naming-and-shaming” tactics have become central to double-extortion pressure, while a weekly incident roundup underscores continued real-world disruption from ransomware (e.g., impacts to public services) and ongoing regulatory consequences for inadequate security controls following breaches.
Mar 21, 2026
Ransomware and Data-Theft Incidents Impacting US Healthcare and Education Organizations
The University of Hawaiʻi Cancer Center confirmed a **ransomware-driven data breach** affecting its epidemiology division, with the potential exposure of data tied to up to **1.2 million individuals**. The university reported that attackers accessed files containing **SSNs and driver’s license numbers** sourced from historical Hawaiʻi DOT records and Honolulu voter registration data (dating back to 1998), as well as health-related research data connected to the **Multiethnic Cohort (MEC) Study** and other diet-and-cancer studies; the incident was discovered on **August 31, 2025**, and the university acknowledged it engaged with the threat actors while restoration and impact assessment were underway. Separately, a “cyber incident” caused a **five-school-day internet outage** at the Denmark School District in Wisconsin; the **INC Ransom** group claimed the victim on its leak site, alleging both **encryption** and theft of roughly **70.76 GB** of data, though the district had not publicly confirmed ransomware or data exfiltration. In the healthcare sector, **Insight Hospital and Medical Center** in Chicago reported unauthorized network access between **August 22 and September 11, 2025**, and the **Termite** group later claimed to have stolen and then **leaked ~360 GB** (about 900,000 files) of “confidential data,” including medical imaging files (e.g., `.dcm`), raising the likelihood of exposure of both identity data and protected health information.
Mar 21, 2026