On July 5, 2025, DataBreaches.net reported that Kentfield Hospital, a critical care facility in California and part of Vibra Healthcare, had fallen victim to a cyberattack carried out by the threat actor group World Leaks.
What happened
World Leaks claimed responsibility for the attack and listed Kentfield Hospital on its leak site. The group claimed to have exfiltrated 146.4 GB of data comprising 140,683 files from the hospital’s internal servers. Although the full dataset had not been publicly released at the time of reporting, DataBreaches.net previewed the tranche and found that it contained highly sensitive and unencrypted protected health information (PHI).
The files were organized by named patient folders, including documentation of admission, treatment, discharge, and detailed medical data such as names, dates of birth, medical and financial record numbers, diagnoses, medications, care notes, and test results. The data also included over 28,000 medical image files showing patients’ anatomy for treatment purposes, many from 2020 through 2024, including CMS quality reviews and patient complaint investigations.
In addition to patient data, a limited amount of employee information, such as disciplinary reports and a list of new hires with names, roles, and dates of birth, was also included, although no payroll databases or Social Security numbers were found. Kentfield Hospital has not yet acknowledged the breach publicly or posted any alert on its website.
In the know: What is World Leaks?
While not much is publicly known about the group’s internal operations or origins, cybersecurity analysts have speculated that World Leaks may be a rebranding or evolution of the notorious ransomware gang Hunters International, which itself had connections to other high-profile ransomware operations like Conti and REvil. Unlike traditional ransomware groups that encrypt data and demand payment for a decryption key, World Leaks focuses on data exfiltration and public exposure, often bypassing file encryption entirely.
This strategy allows hospital systems and other victims to continue operations while still placing them under intense pressure through the threat of reputational damage and regulatory fallout. In the Kentfield Hospital breach reported in July 2025, World Leaks demonstrated this modus operandi by stealing 146.4 GB of sensitive patient and administrative data and posting a preview of the files online, without disrupting hospital services.
What was said
According to a July 5, 2025 post by Databreaches.net, “There is nothing on Kentfield’s website to alert patients or employees to any incident involving personal information. Because World Leaks claims that they do not encrypt systems or files, hospital functions and patient care may not have been disrupted by this incident, but the hospital would appear to have a reportable breach that will require notification to HHS, California regulators, some personnel, and patients.
DataBreaches submitted a contact form inquiry to the hospital this morning, asking when they first discovered a breach and what they were doing in response to it. No reply was immediately received. This post will be updated if a reply is received.”
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is a data breach?
A data breach is an incident where unauthorized individuals access, steal, or expose confidential or sensitive information.
How soon must a data breach be reported?
Under the HIPAA Breach Notification Rule, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovering the breach. They must also notify HHS and sometimes the media, depending on the scale.
What is PHI?
PHI refers to any information in a medical record that can identify an individual and that was created, used, or disclosed in the course of providing healthcare services
Kirsten Peremore
