Community Health Action of Staten Island breach exposes 60k records

A ransomware incident involving a New York nonprofit serving vulnerable populations has exposed sensitive medical and personal information.

What happened

Community Health Action of Staten Island reported a data breach involving both personally identifiable information (PII), such as names or Social Security numbers, and protected health information (PHI), which includes medical records and health insurance data. According to ClaimDepot, the GENESIS ransomware group claimed responsibility for the attack on February 13, 2026, stating on a dark web forum that it had accessed and stolen sensitive data from the organization. The group said the files included medical databases containing more than 60,000 records related to HIV testing, as well as personal data, financial records, contracts, and internal documents. The breach was formally reported to the Massachusetts Office of Consumer Affairs and Business Regulation on February 24, 2026, confirming that residents were affected and that the exposed information may include names, Social Security numbers, driver’s license or ID numbers, bank account details, health insurance information, and medical data.

Going deeper

Ransomware attacks against healthcare organizations often involve both system disruption and data theft, with attackers threatening to publish stolen information if a ransom is not paid. In this case, the threat actor claimed to have stolen large datasets containing medical testing and administrative records and later listed the breach on a dark web leak site, which typically indicates the ransom demand was not paid. The group alleged that the data includes HIV testing records and other medical information that qualifies as PHI under the Health Insurance Portability and Accountability Act. Financial records, government grant documents, and human resources files were also reportedly included in the stolen dataset, which could create operational and regulatory challenges for the organization if the claims are confirmed.

What was said

In response to the breach, Community Health Action of Staten Island said in its breach notice that, “We are contacting you to let you know this happened and to assure you that we take this very seriously. We are offering you a complimentary two-year membership to Experian’s IdentityWorksSM,” a service that monitors for signs of identity theft. The organization added that it has also implemented enhanced monitoring and alerting software to help detect suspicious activity and reduce the risk of similar incidents in the future.

In the know

Genesis is a relatively new ransomware group that first began posting victims on its leak site in October 2025. According to Comparitech, the gang initially claimed nine attacks against U.S. organizations, including an optometry clinic and a grocery chain. In those incidents, the group said it stole 400 GB of financial, payroll, and HR data from Healthy Living Market & Café and 200 GB of medical records and patient data from River City Eye Care. Like many modern ransomware operators, Genesis uses double-extortion tactics, stealing data before encrypting systems and threatening to publish the files if victims refuse to pay a ransom.

The big picture

The ransomware attack on the New York nonprofit comes amid a wider increase in healthcare cyber incidents. Data from the U.S. Department of Health and Human Services shows ransomware attacks in the sector have risen 264% since 2018. The 2025 Healthcare Email Security Report found that many organizations take an average of 308 days, or about 10 months, to identify and contain a breach. Researchers also reported that 74% of breached organizations did not enforce DMARC, an email authentication standard that helps verify legitimate messages and block attackers from impersonating trusted senders in phishing emails that often lead to ransomware. The report, The Hidden Cost of Inaction, also noted that while most healthcare organizations provide cybersecurity training, only about 5% of phishing attempts are reported to security teams. Analysts estimate these types of security gaps can lead to an average financial impact of about $9.8 million per ransomware incident.

FAQs

Why are healthcare organizations frequent targets of ransomware groups?

Healthcare systems maintain valuable datasets that include medical histories, insurance details, and personal identifiers, which can be exploited for identity fraud or used to pressure organizations during extortion attempts.

What qualifies as protected health information under HIPAA?

Protected health information refers to individually identifiable health data, such as diagnoses, medical records, treatment history, and insurance information that is held or transmitted by healthcare providers or related organizations.

What risks arise when medical data, such as HIV testing records, are exposed?

Exposure of sensitive medical records can lead to identity theft, insurance fraud, reputational harm, and privacy violations that may affect individuals long after the incident occurs.

Why do ransomware groups publish breach claims before official disclosures?

Threat actors often post claims on dark web leak sites to pressure victims into paying ransom demands or to demonstrate proof of compromise before releasing stolen data.

What should affected individuals do after a healthcare data breach?

Individuals should review financial and insurance statements, monitor credit reports, enroll in identity protection services offered by the organization, and report suspicious activity immediately.