The Kansas City OB/GYN practice says an intrusion exposed names, Social Security numbers, and medical details.
Rockhill Women’s Care reported that an unauthorized party accessed its network on February 26, 2025, leading to the exposure of electronic protected health information for up to 70,129 patients. According to a report by The Register, the Qilin ransomware group later claimed responsibility and posted samples of the stolen data on its leak site.
The practice engaged external cybersecurity specialists immediately after detecting the intrusion and notified law enforcement. Investigators confirmed that the attacker viewed or obtained personal and medical information, which included names, addresses, birth dates, Social Security numbers, treatment histories, and insurance details. A data mining vendor reviewed the compromised files to identify affected patients, and that work was completed on August 13, 2025. After verifying contact information, Rockhill Women’s Care mailed individual notification letters beginning September 30. The organization stated that it had not identified evidence of misuse at the time of notification and has implemented additional security measures to reduce the risk of similar incidents.
Rockhill Women’s Care said that patient privacy remains a priority and that steps were taken to contain the incident immediately after discovery. The practice noted that specialized investigators handled the technical response and that a detailed review was needed to determine which patients were affected because of the volume and variety of files involved. The notification letters advise recipients to monitor accounts, review insurance statements for unfamiliar activity, and consider placing fraud alerts with the credit bureaus. The practice confirmed that law enforcement has been informed and that its internal systems are undergoing further security enhancements.
Healthcare providers continue to face sustained targeting from ransomware groups that steal sensitive data before or instead of encrypting systems, then use leak sites to pressure organisations into paying. Reporting from Fierce Healthcare shows an increase in data-exfiltration-only attacks across the sector, alongside continued incidents where ransomware causes operational disruption. Attackers often post samples of stolen patient or operational data on leak sites to increase their advantage during extortion attempts, reinforcing the sector’s ongoing exposure to aggressive ransomware campaigns.
Large healthcare breaches often involve extensive file sets that require manual and automated analysis to identify each affected individual and categorize the types of data involved.
Social Security numbers, combined with medical and insurance details, increase the potential for identity theft, medical billing fraud, and misuse of insurance benefits.
Groups frequently publish proof of stolen data, threaten full release, or target patients with further contact to create urgency during extortion attempts.
External vendors specialize in reviewing compromised files, extracting structured information, and producing accurate lists of affected individuals for regulatory notification.
They can monitor insurance statements, request credit reports, place fraud alerts, and report suspicious activity to their healthcare provider or insurer.