Infinite Services Inc. falls victim to a ransomware attack

The mental healthcare provider recently alerted patients to a data breach.  

What happened

Infinite Services, Inc., a New York-based healthcare provider, recently reported a data breach to the Department of Health and Human Services (HHS). The breach was submitted on July 21st and stated that it impacted 31,742 individuals. 

Infinite Services has submitted a notice to the Office of the New Hampshire Attorney General, as required by New Hampshire Law. 

In the notice, Infinite Services stated that the provider first became aware of suspicious activities on May 5th, 2025, when employees were unable to log into the network.  

On June 23rd, Infinite Services determined that employee and patient information had been accessed. Information accessed included names, addresses, Social Security numbers, member identification numbers, dates of birth, and health insurance information. 

Going deeper

Infinite Services noted that when employees were unable to log in, several servers were off. One server, however, remained active and had an extension from the threat actor group. Infinite Services stated, “The electricity was unplugged from the entire network, interrupting the encryption process. The threat actor was able to log into one of the servers.”  

Upon discovery, Infinite Services also worked with a third-party forensics group and notified the FBI. Infinite Services noted that while the investigation is ongoing, the practice decided to notify all individuals who had information on the server. Letters began going out to impacted individuals on July 25th. Impacted individuals will be eligible to receive free credit monitoring and identity theft insurance. 

At this time, no threat actor has claimed the attack, nor has the stolen data been published online. 

The big picture

Paubox frequently reports on ransomware attacks, which continue to plague the healthcare industry. These attacks can be particularly devastating because when data is held for ransom, it’s often unusable by the healthcare organization, which can potentially harm patients. Even if a ransom goes unpaid, it can still have large financial implications. Just last week, Syracuse Surgery Center agreed to a $250,000 settlement, showcasing the ongoing issues a data breach can result in. 

FAQs

Will the stolen data be published online? 

Currently, there is no evidence that the data has been published on the dark web. However, Infinite Services did state the ransom went unpaid, which could mean the threat group will release it. 

Is there any benefit to paying a ransom? 

It’s strongly recommended that organizations do not pay ransoms. First, it doesn’t guarantee that data will be returned or deleted. Second, it can encourage threat actors to attack the same organization again, as it shows ransom attacks can be successful.