LockBit 5.0 claims attack on Washington pediatric clinic

A ransomware group claimed responsibility for the breach just two days after it occurred, while the clinic's forensic investigation took four months to confirm what data was taken from children's medical records.

What happened

Mt. Spokane Pediatrics in Spokane, Washington, has notified 32,021 patients of a ransomware attack that occurred on or around January 1, 2026, in which an unauthorized actor accessed its network and exfiltrated files containing patient information. According to KHQ Local News, the clinic contained the threat immediately and engaged outside cybersecurity professionals to investigate. On January 3, 2026, the LockBit 5.0 ransomware group claimed responsibility on the Tor network, stating it had obtained the clinic's data and intended to publish it within 20 days. The forensic investigation concluded on April 22, 2026, confirming that exfiltrated files contained full names, dates of birth, Social Security numbers, health insurance information, medical treatment and diagnostic information, medical record and patient numbers, health plan beneficiary numbers, and dates of service. The clinic filed a notification with the Washington Attorney General on April 30, 2026.

Going deeper

The four-month gap between the January 1 attack and the April 22 confirmation of compromised data reflects the complexity of reviewing exfiltrated files to determine which patient records were included. The LockBit 5.0 claim came just 48 hours after the attack, creating a two-track situation in which the group publicly asserted data theft while the clinic's own investigation was still in its early stages. LockBit 5.0 is the latest iteration of one of the most documented ransomware operations in healthcare. According to Comparitech's Q1 2026 healthcare ransomware roundup, LockBit confirmed three healthcare provider attacks in Q1 2026 alongside Mt. Spokane Pediatrics, making it one of the most active confirmed groups against healthcare providers in the quarter. The clinic's own breach notice states it is unaware of any actual or attempted fraud resulting from the incident.

What was said

Practice administrator Daniel Oneill stated in the clinic's official notice: "On or about January 1, 2026, Mt. Spokane Pediatrics experienced a data security incident, where an unauthorized party accessed certain systems in our network environment. Upon learning of this issue, we contained the threat and immediately commenced a prompt and thorough investigation." The clinic confirmed it had notified affected individuals by US mail and provided guidance on protective steps. Mt. Spokane Pediatrics said it continually evaluates and modifies its practices to enhance security and is taking steps to augment its existing cybersecurity measures.

In the know

The Mt. Spokane Pediatrics breach sits within a documented pattern of ransomware attacks targeting pediatric and community healthcare providers in Washington state. According to KHQ, the Washington Attorney General's 2025 data breach report found that breach notifications in the state exceeded Washington's total population for the second consecutive year, that ransomware was the leading attack type, and that three of the top five breaches involved healthcare entities. LockBit's reemergence as LockBit 5.0 following law enforcement disruptions in 2024 and early 2025 signals the group has rebuilt sufficient operational capacity to resume confirmed healthcare attacks at scale.

The big picture

A pediatric clinic holds some of the most sensitive data in healthcare: children's diagnoses, treatments, and identifying information linked to minors who cannot independently monitor for misuse or take protective action. When Social Security numbers belonging to children are exposed, the risk window extends decades, because minors typically do not open credit accounts, and fraud using a child's SSN may go undetected for years. According to Paubox's Small Healthcare Practices report, small healthcare organizations face the same ransomware threat profile as large health systems but with fewer dedicated security resources and less redundancy to absorb the operational impact. The Mt. Spokane Pediatrics breach was claimed publicly two days after it occurred, months before the clinic could confirm what had been taken, leaving patients in the same position documented across other 2025 and 2026 ransomware incidents: formally notified long after their data had already been in the attacker's hands.

FAQs

Why does a pediatric data breach carry particular long-term risk?

Children's Social Security numbers are rarely used for credit applications, meaning fraud using a minor's SSN can go undetected for years until the child applies for their first loan, credit card, or apartment as an adult. The exposure window for identity theft using a child's credentials is substantially longer than for adult victims.

What is LockBit 5.0, and how does it differ from prior LockBit variants?

LockBit 5.0 is the latest iteration of the LockBit ransomware operation, which has rebuilt its infrastructure following coordinated law enforcement disruptions in February 2024 and subsequent operations. The group continues to operate a ransomware-as-a-service model, recruiting affiliates who conduct attacks and share a portion of ransom proceeds with the core developers.

Why did it take four months to confirm what data was compromised?

Ransomware groups typically exfiltrate large volumes of unstructured files before deploying encryption. Forensic reviewers must examine each file individually to determine whether it contains patient information and whose records were affected. For a clinic serving thousands of patients over many years, that review takes months, even with dedicated cybersecurity resources.

What protective steps can parents take if their child's data was exposed?

Parents can place a credit freeze on a minor child's credit file with each of the three major bureaus, which prevents new credit accounts from being opened in the child's name. Unlike adult monitoring, a freeze is the most effective tool because it blocks unauthorized use rather than simply alerting after the fact.