XP95 Data-Theft Attack on Healthdaq Exposes Sensitive Healthcare Recruitment Records
Healthdaq, a Dublin-based recruitment platform used by Northern Ireland health trusts and other public health bodies, disclosed unauthorized access to its systems after attackers linked to the XP95 extortion group claimed to have stolen nearly half a million files. Reported exposed data includes names, contact details, CVs, qualifications, passport copies, other government-issued identification, criminal background checks, vaccine records, forms, and in some cases health information. Healthdaq said it detected the breach on 30 March, contained the incident, and notified regulators and law enforcement, including the Garda National Cyber Crime Bureau, while the UK Information Commissioner's Office said it is assessing the company’s report.
The incident prompted heightened alerts across Northern Ireland health trusts because of the volume and sensitivity of the compromised records and the risk of identity theft, fraud, and misuse of personal information. Reporting indicates Healthdaq received a ransom demand, and threat intelligence describes XP95 as a newly observed actor using a pure data theft and extortion model rather than file-encrypting ransomware; its first publicly identified victim was Eholo Health, a Spanish mental health SaaS provider serving psychologists in Spain and Andorra. The breach also underscored broader pressure on healthcare technology suppliers after a separate attack on Dutch EPD vendor ChipSoft disrupted hospital services and triggered parliamentary scrutiny over sector dependence on a small number of critical vendors.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Dutch parliament opens probe into ChipSoft attack
Lawmakers from D66 asked Health Minister Hermans to explain the impact of the ChipSoft incident on healthcare continuity, whether patient data was stolen, and whether cybersecurity requirements for critical healthcare IT suppliers are adequate. The attack also prompted at least 23 data leak notifications to the Dutch Data Protection Authority.
ChipSoft ransomware attack disrupts Dutch healthcare operations
A ransomware attack on ChipSoft, a major Dutch electronic patient dossier software provider, disrupted healthcare operations and led several hospitals to take patient portals offline. ChipSoft reportedly disconnected multiple platforms and began restoring services using new keys.
Northern Ireland health trusts placed on high alert over Healthdaq incident
Following reporting on the Healthdaq breach and XP95's claims, Northern Ireland health trusts were placed on high alert because the recruitment platform was used by the trusts. The incident raised concerns over identity theft, fraud, and exposure of sensitive applicant data.
ICO confirms receipt of Healthdaq breach report
The UK Information Commissioner's Office said it had received a report from Healthdaq Limited and was assessing the information provided. This confirmed regulatory notification following the breach disclosure.
XP95 claims Healthdaq breach and demands ransom
XP95 claimed responsibility for the Healthdaq intrusion, saying it stole nearly half a million files. Reported exposed data included names, contact details, CVs, qualifications, passport and other government ID copies, criminal background checks, vaccine records, and in some cases health information.
Healthdaq detects unauthorized access and contains the breach
Healthdaq said it became aware of unauthorized access to its systems on 2026-03-30 and took steps to contain the incident. The company later reported the matter to regulators and law enforcement, including the Garda National Cyber Crime Bureau.
XP95 extortion group is first observed targeting Eholo Health
Threat intelligence reporting says XP95, a data-theft-and-extortion actor, was first observed on 2026-03-04. Its first known victim was Eholo Health, a Spanish mental health SaaS platform serving psychologists in Spain and Andorra.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Dutch Parliament Probes ChipSoft Ransomware Attack - Cyberwarzone
cyberwarzone.com
Open sourceNew XP95 hacker group targets Dublin recruitment platform Healthdaq
siliconrepublic.com
Open sourceHealthcare recruitment company says gardaí investigating ‘cyber security incident’ - The Irish Times
irishtimes.com
Open sourceHealthdaq: Recruitment platform used by health trusts targeted by cyber attackers
bbc.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Data Breaches and Patient Record Exposure at Providers and Vendors
Multiple healthcare entities reported **unauthorized access and patient data exposure**, with incidents spanning direct provider compromises and third-party vendor breaches. **Insight Hospital and Medical Center (Chicago)** disclosed suspicious activity in its IT environment, with investigators confirming **unauthorized network access from Aug 22 to Sep 11, 2025**; the organization said the review is ongoing but potentially impacted data includes **names, DOB, SSNs, passport numbers, financial account data, treatment information, and insurance details**. Two extortion groups publicly claimed responsibility: **LockBit** alleged theft of ~`200 GB` and **Termite** claimed `360 GB`, stating it leaked data in late February 2026. In France, attackers stole about **15.8 million administrative files** after breaching health-ministry software supplier **Cegedim Santé**, impacting its *MonLogicielMedical (MLM)* product used by thousands of doctors; the stolen data reportedly included **identity and contact details**, and in a smaller subset (~**165,000** files) **free-text doctors’ notes** that in limited cases contained sensitive medical-history details. Separately, **OCAT, LLC d/b/a Evoke Wellness at Hilliard** updated a breach notification describing **unauthorized network activity** and potential access to patient information; reporting also tied the matter to an **insider misuse** investigation in which a former employee allegedly accessed and sold patient data, though public filings contained **inconsistent timelines** about when the underlying incident occurred and when it was discovered.
Mar 25, 2026
Extortion Attack on NHS Dumfries and Galloway Exposed Children’s Health Records
NHS Dumfries and Galloway disclosed a cyberattack that raised the risk of patient data exposure, and weeks later stolen records linked to the incident were published online as part of an extortion campaign. Reporting indicated that highly sensitive files involving children’s health information were among the leaked material, escalating the impact from service disruption to a serious confidentiality breach affecting vulnerable patients. The incident fits a broader pattern of ransomware and extortion operations targeting healthcare providers, where attackers disrupt clinical systems and use stolen data to pressure victims. Similar attacks previously hit New Zealand’s Waikato District Health Board, where a ransomware intrusion crippled hospital IT, forced lengthy restoration from backups across hundreds of servers and thousands of workstations, and underscored that healthcare organizations remain high-value targets because outages and data theft can directly affect patient care.
May 25, 2026
Healthcare Sector Data Breach Disclosures Expand Victim Counts Across Multiple Incidents
Multiple healthcare-related breach disclosures expanded significantly, led by *TriZetto Provider Solutions* reporting to regulators that **3,433,965** people were affected after an attacker used a web portal to access historical eligibility reports containing sensitive data (including **SSNs** and insurance information). Separately, *Conduent Business Services* told Wisconsin regulators that its incident now impacts **“25 million-plus”** people nationwide; the Xerox spinoff had previously reported **~15.5 million** affected in Texas, prompting an investigation by Texas AG Ken Paxton, while reporting noted the event is still smaller than the largest U.S. health-data breach on record. Reporting on the *Change Healthcare* ransomware incident reiterated that UnitedHealth estimated roughly **190 million** people were affected, with congressional testimony attributing initial access to a **Citrix remote access portal lacking MFA**, followed by data theft and ransomware deployment; reporting also cited a **$22 million** ransom payment. In the Asia-Pacific region, a separate healthcare privacy incident involving New Zealand’s *ManageMyHealth* patient portal was cited as exposing data from **~120,000** people, and was used to underscore governance, access control, and third-party oversight gaps as recurring drivers of healthcare-sector exposure.
Mar 21, 2026