For Singing River Health, it’s the second breach in two years, impacting 54k.
What happened
Singing River Health System, based in Mississippi, revealed that a breach of its network, which took place in December of 2025, has impacted approximately 53,888 former and current patients. The hospital system determined through an investigation with a third-party cybersecurity firm that the breach took place between December 19th and 21st, 2025.
The Health System revealed the magnitude of the attack over time; in February of 2026, the system confirmed that sensitive data had been stolen, including contact information, Social Security numbers, dates of birth, IDs, details of patient treatment, diagnostic test results, lists of medications, bank account information, health insurance numbers, and provider names.
Singing River reported the incident to the Department of Health and Human Services (HHS), on May 19th, 2026.
As a result of the incident, known victims were notified and provided complimentary credit monitoring services. Singing River also claimed to have implemented security upgrades.
The backstory
For Singing River, this isn’t their first time responding to a ransomware attack. The system faced a breach in August of 2023 with an even larger impact; approximately 895,204 individuals had their Social Security numbers and other sensitive data stolen. Rhysida, another prominent ransomware group that emerged in 2023 and is linked to Russia, claimed responsibility for the attack, demanding almost $800,000. It’s unclear if Singing River ever paid the ransom.
Singing River was also impacted in 2024 by the Change Healthcare ransomware attack, which led Singing River to change payment processors. As such, between 2023 and 2025, Singing River has been involved in a data breach every year.
What’s new
Now, according to Comparitech, the breach has been claimed by the cybercrime gang known as Anubis. According to the news report, Anubis has listed Singing River on its data breach site, claiming to have 293 GB of data and over 1.2 million files from the hospital system. Anubis posted a sample to prove its claim, which included highly sensitive images of surgeries and injuries. Currently, Singing River has not acknowledged or verified any claims, so while it seems Anubis may have been responsible, it's always possible the group is being dishonest.
In the know
Anubis as a ransomware group that first became known in 2024. They now operate a ransomware-as-a-service scheme (Raas), where affiliates pay Anubis to use their ransomware tools in exchange for part of the ransom. Anubis uses a malware that steals data and locks down infected computer systems. According to Comparitech’s running log of worldwide ransomware attacks, Anubis has claimed responsibility for 74 ransomware attacks. 14 attacks were confirmed by the victim organizations.
The big picture
Repeated attacks can harm any organization financially and reputationally. While many factors can influence the cost of a data breach, research from Paubox’s team has found that the time it takes to detect a breach and how overall disruptive it is to operations and service can influence legal costs or fines.
Although Singing Health would probably have been unable to prevent the attack at Change Healthcare, the other two would likely have been prevented with better cybersecurity tools and protocols. Repeated attacks show that an organization is ill-prepared and could make them even more susceptible to attacks in the future. With attacks in close proximity, legal risks can also be heightened, since they show Singing Health failed to improve their security standards after prior attacks. With data breaches regularly occurring at organizations around the world, it’s possible more and organizations will become repeat victims, but it’s unclear how multiple breaches wil be treated by the law and public perception.
FAQs
Do smaller breaches matter?
Yes. Although this breach only impacted approximately 50,000 individuals, that’s still an overall sizable amount. In healthcare, many people have become desensitized to data breaches because there are so many. But even smaller breaches can lead to identity theft or fraud and create significant financial problems for the institutions tasked with recovering.
Why do cybercriminals wait to release their list of victims?
First, researchers don’t always check leak sites, like where Anubis posted, regularly, meaning the post on Anubis’ website may not be particularly recent. Second, criminals may wait to post information about a leak because posting it prematurely would take away the incentive for victims to negotiate. Most victim institutions are eager to avoid the negative publicity of a data breach, which threat groups try to take advantage of during negotiations. Once negotiations ended, and Anubis wasn’t happy with the results, they become further incentivized to post the stolen information oline.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Farah Amod : April 1, 2026
