Elmcrest Children's Center faces ransomware claimed by Interlock group

The New York-based children’s medical center is providing a public notice to data breach victims. 

What happened

Elmcrest Children’s Center recently published a data breach notice on their website, dated for October 2nd, 2025. Elmcrest has not yet reported the breach to the Department of Health and Human Services (HHS), so the number of impacted individuals has not yet been confirmed. 

According to Elmcrest, impacted information may have included names, dates of birth, and medical information. However, the medical center stated their review is ongoing and impacted information may vary by individual.

Going deeper

In their notice, Elmcrest said the suspicious activity was discovered on their computer network. After the discovery, an investigation determined that an unauthorized user had accessed certain systems and copied certain files between March 10th, 2025 and July 24th, 2025. 

Elmcrest also stated that their investigation is still continuing, and they currently do not know who was impacted, nor have they gathered any contact information. They stated, “In the interim, we are providing notice of the event to potentially impacted individuals via this website posting.” 

In response to the incident, Elmcrest said they are currently evaluating their “technical and administrative policies and procedures on an ongoing basis and will continue to evaluate and update these controls as appropriate.” 

While Elmcrest has not yet confirmed the cause of the attack, ransomware gang Interlock has claimed responsibility. The malicious organization claims to have 450 GB of copied data.  

The big picture

Ransom attacks can be particularly malicious, as threat actors will generally demand a certain amount of money in exchange for not posting the stolen data on the dark web. It is generally inadvisable for organizations to pay ransoms, as it can make them more likely to be targeted in the future. According to Paubox’s State of Cybersecurity Report, since 2018, ransomware attacks on healthcare organizations have surged by 264%, showing a greater need for anti-ransomware training and software. 

FAQs

Is posting about a data breach on a website sufficient notice to victims? 

Generally, organizations must do everything in their power to directly contact impacted individuals, usually via mail. 

When will the breach be reported to the HHS?

Elmcrest’s timeline for reporting the breach to the HHS is currently unknown and likely depends on how quickly they are able to complete the investigation. The breach may be officially reported in a few weeks or even a few months.