A ransomware gang has claimed responsibility for a cyberattack on Jordan Drug, a pharmacy and medical supplier serving eastern Kentucky.
What happened
Jordan Drug, Inc., a network of independent pharmacies and medical supply centers in eastern Kentucky, has been listed as a victim of ransomware group INCRANSOM. The attack was first disclosed on May 30, 2025, after the group published details on its dark web leak site.
While no specific files have been released publicly, the attackers appear to have exfiltrated internal documentation, possibly including operational records and communications. A screenshot posted on the leak site shows part of the company's internal system, supporting claims of unauthorized access and data theft.
Going deeper
Jordan Drug operates several pharmacy locations, as well as medical service centers. The leak page suggests attackers gained access to infrastructure-level data but does not explicitly confirm whether patient information or personally identifiable data was compromised. The presence of a ransom note or internal documentation points to an active extortion attempt, a common tactic in healthcare-targeted ransomware incidents.
The information was scraped from INCRANSOM’s Tor-based leak blog and republished by RedPacket Security. No sensitive files or download links are hosted publicly, and the reporting site stated it is not affiliated with the attackers.
What was said
RedPacket Security stated clearly that it does not store or share any stolen content and only publishes automated alerts based on information from ransomware group sites. The group has not released an official statement, and Jordan Drug has not yet responded publicly to the breach.
The inclusion of Jordan Drug on INCRANSOM’s site suggests the group is continuing its campaign against healthcare organizations, which are often seen as lucrative targets due to the sensitive nature of their data and limited downtime tolerance.
The big picture
The attack on Jordan Drug points to ongoing cybersecurity challenges facing smaller healthcare providers. Unlike larger hospital systems, regional networks and independent practices may have fewer resources to invest in advanced security tools. Ransomware operations continue to affect the healthcare sector, where disruption can have serious consequences for patient care and operations. This incident adds to a series of similar cases, reinforcing the need for stronger defenses, continuous monitoring, and well-prepared incident response plans.
FAQs
Why do ransomware groups often target smaller healthcare providers like Jordan Drug?
Smaller providers often have fewer cybersecurity resources, making them easier to breach while still offering access to valuable operational or medical data.
What is INCRANSOM, and how do they operate?
INCRANSOM is a ransomware group known for targeting healthcare and other critical sectors. They use extortion tactics that include data theft, ransom notes, and public exposure on dark web blogs.
How do leak sites like the one on Tor play a role in ransomware campaigns?
Leak sites are used by threat actors to pressure victims by threatening to publish stolen data if ransom demands are not met. They also signal credibility within the cybercriminal ecosystem.
Can a healthcare provider like Jordan Drug be penalized under HIPAA for such breaches?
Yes. If protected health information (PHI) is compromised, providers may face investigations and penalties under HIPAA depending on breach scope and compliance failures.
What steps should be taken by organizations after being listed on a ransomware leak site?
Organizations should secure their systems, engage cybersecurity professionals, notify relevant authorities, and begin breach assessment and patient notification protocols if applicable.
Farah Amod
