Beast ransomware group claims attacks in Kansas and Florida

Two healthcare providers in the United States have reported data breaches following cyberattacks later claimed by the Beast ransomware group.

What happened

A ransomware group known as Beast has claimed responsibility for cyberattacks affecting Meadowlark Hills retirement community in Kansas and MedPeds Associates of Sarasota in Florida. According to the breach notice, Meadowlark Hills, operated by the Manhattan Retirement Foundation, reported a breach affecting 14,442 individuals after unauthorized access to its network occurred between July 12 and July 21, 2025. Investigators determined that files containing personal and protected health information were exfiltrated during that period. The compromised data included names, dates of birth, Social Security numbers, driver’s license numbers, financial account details, health insurance information, and medical information. In a separate incident, MedPeds Associates of Sarasota identified unauthorized access to its computer systems on September 2, 2025, when ransomware encrypted files. The breach affected 21,430 individuals and exposed information, including patient names, birth dates, addresses, phone numbers, and medical records.

Going deeper

Both incidents follow a pattern commonly seen in healthcare ransomware intrusions, where attackers gain access to internal systems, move laterally through networks, and exfiltrate sensitive data before triggering file encryption. Meadowlark Hills completed its forensic review of compromised files on January 28, 2026, confirming the scope of the data involved and issuing breach notifications to affected individuals in late February. MedPeds Associates reported that the FBI was notified about the intrusion and that the practice has since implemented additional safeguards and security measures. The Beast ransomware group has claimed to have stolen approximately 750 gigabytes of data from Meadowlark Hills and 400 gigabytes from MedPeds, although the allegedly stolen MedPeds data had not been published on the group’s leak site at the time of reporting.

What was said

Both organizations confirmed the incidents and said investigations were launched to determine the scope of the breaches. Manhattan Retirement Foundation, which operates Meadowlark Hills, said it “discovered unauthorized access to our network occurred between approximately July 12, 2025, and July 21, 2025,” and confirmed that a “limited amount of personal information was removed from our network.” MedPeds Associates also confirmed the intrusion, stating that “an unknown person or entity gained access to our computer system and placed a virus on the system that encrypted our data,” adding that “some data for patients was affected and viewed by the intruder.” Both organizations said they had not identified misuse of the exposed information when the notices were issued. Meadowlark Hills said it was “not aware of any reports of identity fraud,” while MedPeds said it was “not aware of any misuse of this data.”

In the know

According to RansomLook, Beast ransomware first appeared in 2022 as an upgraded version of the earlier Monster ransomware and operates under a ransomware-as-a-service model. The platform states it offers affiliates “rich customization options to create tailored binaries targeting Windows, Linux, and VMware ESXi systems.” The malware includes features such as “hybrid Elliptic-Curve + ChaCha20 encryption, segmented file encryption, ZIP wrapper mode, multithreaded processing, termination of services, shadow copy deletion, hidden partition usage, and subnet scanning,” with affiliates also given “configurable offline builders” to deploy attacks across multiple systems. Public reporting about the group’s victims, targeted sectors, and leak site activity remains limited.

The big picture

Ransomware has become a major driver of healthcare data breaches, responsible for many of the largest patient data exposures. A study published in JAMA Network Open found that ransomware attacks have exposed the records of at least 375 million individuals since 2010. Although ransomware incidents represent a smaller share of total breach reports, they affect far more patients because a small number of attacks involve extremely large datasets. Researchers noted that modern ransomware groups increasingly steal and threaten to publish data, which has shifted these incidents from short-term operational disruptions into lasting privacy risks.

FAQs

Why are healthcare organizations frequent targets for ransomware groups?

Healthcare providers hold large volumes of sensitive personal and medical information and often operate complicated IT environments that include legacy systems, which can create opportunities for attackers.

What does data exfiltration mean in a ransomware attack?

Data exfiltration refers to the unauthorized transfer of information from a victim’s systems to an attacker’s infrastructure, often used as leverage for extortion, even if systems are restored.

What part does the FBI play in ransomware investigations?

Healthcare organizations frequently notify federal law enforcement after ransomware incidents, allowing investigators to collect intelligence on threat groups and assist in response efforts.

Why do ransomware groups publish stolen data on leak sites?

Leak sites are used to pressure victims into paying ransom demands by threatening to publicly release sensitive information if payment is not made.

What protections are typically offered to affected individuals after healthcare breaches?

Organizations commonly provide credit monitoring and identity theft protection services when sensitive personal information, such as Social Security numbers, may have been exposed.