Fake Claim from Ransomware Group About Theft of Patient Data
A ransomware group called Stormous claims to have stolen the personal and health information of 600,000 patients from North Country HealthCare. North Country HealthCare is a federally qualified community health center that provides comprehensive healthcare services to 11 communities in northern Arizona at 14 locations.
Stormous is a pro-Russia ransomware group that has been in operation since early 2022. The group engages in double extortion, stealing data and encrypting files, and demanding payment to obtain the decryption keys and prevent the publication of the stolen data on its dark web data leak site. The group is known to have attacked at least 150 companies, generally conducting fewer than 10 attacks per month, although in May 2025, the group conducted more than 15 attacks. The sectors most targeted by the group are hospitality and tourism, technology, business services, healthcare, and government. The top five countries attacked are Spain, the United States, the United Arab Emirates, France, and Brazil.
North Country HealthCare was listed on the group’s data leak site on July 13, 2025. Stormous claims to have obtained the health information of 600,000 patients, including “full personally identifiable information (PII), Protected Health Information (PHI), diagnostic codes (ICD), clinic data, provider details.” They include full name, date of birth, gender, phone number, clinic name, visit date/location, insurance provider, ICD code, and a description of the diagnosis. The group claims that the data of 100,000 patients will be listed for sale, and the data of 500,000 patients will be listed on the leak site for free.
According to a July 15, 2025, update, the files have been published. The HIPAA Journal has not downloaded any of the leaked data and has not verified the legitimacy of the group’s claims.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“North Country HealthCare is aware of a claim made by a ransomware group on the dark web alleging unauthorized access to patient data,” explained North Country HealthCare in a statement provided to The HIPAA Journal. “We take any such claim seriously and immediately launched an internal investigation. We have found no evidence of a data breach or unauthorized access to our systems. Independent cybersecurity experts also have reviewed the data posted and found it to be inconsistent, unverifiable, and likely fabricated.”
North Country HealthCare provided an update on July 31, 2025. “North Country HealthCare has completed its investigation into the recent claim made by a ransomware group alleging unauthorized access to patient data. Following a thorough review by internal teams and independent cybersecurity experts, we can confirm with certainty that the claim was false, and no breach occurred,” a spokesperson for North County HealthCare told The HIPAA Journal. “The data posted online was found to be fabricated and not associated with NCHC systems or patient information. We appreciate the support of our cybersecurity partners and law enforcement agencies throughout this process. We continue to monitor our systems proactively and remain fully committed to the privacy and security of our patients and staff.”
Update: Interview with CIO
In an interview with The HIPAA Journal, North Country Health Care CIO Scott Carey shared further information on the Stormous ransomware group’s fake claim.
While Stormous claimed to have contacted North Country Health Care, no direct communication was received from the group. “We thoroughly checked our spam filters and held messages. No phone calls were received… Bottom line: there was no contact from Stormous.” After learning about the group’s claim, two vendors cut their connection as a precaution. North Country Health Care contacted the vendors and learned about the claim. An investigation was launched, and the Cybersecurity and Infrastructure Security Agency (CISA) proactively reached out.
“At the first sign of the issue, we initiated an information-gathering process. Key internal IT staff and vendor partners (our “Response Team”) were assembled to assess the claim, review our environment and cybersecurity posture, and notify relevant partners,” Scott said. “The Response Team (RT) analyzed publicly available information and took proactive steps to ensure we could recover if needed. Our RT participated in multiple daily calls, with clearly defined tasks between sessions. Information from the FBI and DHS was integrated into our response efforts.”
“Early in the triage process, we securely reviewed the sample data published on the Dark Web and determined it was not credible. We had multiple independent groups analyze the data, and the results were the same – the data was fake. This, along with other inputs, reinforced our conclusion that we had not been compromised. While our healthcare operations were unaffected, our IT and cybersecurity teams operated under the assumption that the threat was real—until the RT could confirm with full confidence that NCHC was not impacted,” explained Scott.
