AdvancedHEALTH Ransomware Claim Includes 2.3M Patient Data Lines

AdvancedHEALTH Ransomware Claim Includes 2.3M Patient Data Lines

AdvancedHEALTH Ransomware Claim Includes 2.3M Patient Data Lines

Generated with Google’s Nano Banana 2.

DragonForce claims it stole 390GB from AdvancedHEALTH, including patient data and minors’ records, as breach notices and legal scrutiny begin.

Written By
Liz Ticong
Liz Ticong
May 19, 2026

A ransomware gang is trying to turn a Tennessee healthcare group into a public pressure campaign.

DragonForce claims it stole 390 GB of data from AdvancedHEALTH, including 2.3 million lines of patient information and records tied to minors, according to cybersecurity firm DeXpose. AdvancedHEALTH has not confirmed the group’s full claim, and the scope of any exposed data remains unverified.

At least one affiliated clinic has notified patients of a breach, while class-action attorneys are seeking current and former patients and employees who believe their information may have been compromised.

Leak deadline hangs over a wider data claim

DragonForce paired its leak-site post with a deadline, threatening to publish “1,000 lines of patient data per day” until a payment was made or the countdown expired, according to DeXpose.

The patient files appear to be the center of the extortion threat. International Cyber Digest put the dataset at almost 2 million unique patient records after deduplication across 179 patient files, with 83,162 minors included in that count.

The claimed haul also reaches into business operations, with partner agreements, management documents, payroll records, and HR files listed among the materials. A file tree reviewed by International Cyber Digest included eClinicalWorks artifacts, carrier contracts with major insurers, and roughly 200 PatientData subdirectories apparently tied to individual medical practices.

What has been confirmed so far

AdvancedHEALTH declined to comment, and there’s no official confirmation of DragonForce’s allegations.

However, an affiliated clinic provides the clearest confirmed link so far. According to Comparitech, Columbia Surgical Partners told patients it was notifying them about a breach at its parent company, Advanced Diagnostic Imaging, which does business as AdvancedHealth.

The ransomware attack also reportedly disrupted the clinic’s access to electronic medical records, showing an operational impact separate from DragonForce’s broader data-theft claim.

DragonForce runs on a ransomware-as-a-service model

DragonForce operates as ransomware-as-a-service, giving affiliates access to its malware and infrastructure in exchange for a share of ransom payments. The model can make attribution messy because the name on the leak site may represent a broader network of operators rather than a single fixed crew.

Since late 2023, the group has targeted victims across retail, shipping, logistics, technology, and critical infrastructure. Its 2026 activity has been heavy, with 167 claimed attacks and 14 confirmed by targeted organizations.

Healthcare has not been outside its orbit. Prior incidents attributed to DragonForce include Asheville Eye Associates, Heart of Texas Behavioral Health Network, Greater Cincinnati Behavioral Health Services, and Neurological Associates of Washington.

Legal scrutiny is already building around the alleged incident. Class-action attorneys are seeking current and former AdvancedHEALTH patients and employees as they investigate whether to file a lawsuit.

The Canvas hackers’ 275 million-record claim has pushed Instructure into a high-stakes breach response.

Liz Ticong

Liz Ticong is a technology writer specializing in artificial intelligence, cybersecurity, software reviews, and emerging business technologies. With more than a decade of professional writing experience and over five years contributing technology content for TechnologyAdvice, she helps readers understand complex technologies and evaluate the tools that best fit their needs. Liz has extensive experience researching, testing, and analyzing software platforms, AI tools, and technology solutions. Her work includes in-depth software reviews, buyer’s guides, product comparisons, and technology news coverage designed to help businesses make informed purchasing and implementation decisions. She regularly evaluates AI applications, automation tools, cybersecurity solutions, and business software, providing practical insights based on hands-on testing and research. In addition to her work with TechnologyAdvice, Liz has contributed technology content to leading industry publications, including eWeek and TechRepublic. Her background in technical writing and software analysis enables her to translate complex technical concepts into clear, actionable guidance for both business and technology audiences. Liz holds a bachelor's degree in Broadcast Communication from the Polytechnic University of the Philippines and continues to expand her expertise through ongoing education in artificial intelligence and emerging technologies. Through her writing, she helps readers navigate a rapidly evolving technology landscape with practical, research-driven insights and real-world product analysis.