Qilin ransomware group claims attack on Good Samaritan Health Center

A Georgia-based federally qualified health center has notified patients of a November 2024 ransomware attack claimed by Qilin, with the final list of affected individuals not completed until July 2025.

What happened

Good Samaritan Health Center of Cobb, a federally qualified health center serving low-income patients in the Marietta, Georgia area, has disclosed a data breach stemming from a ransomware attack detected on November 4, 2024. According to the organization's breach notice and filings with the New Hampshire and Massachusetts Attorneys General, an unauthorized actor accessed and acquired data from the center's network. The Qilin ransomware group claimed responsibility and posted evidence of the stolen data on its dark web leak site. Compromised data includes names, Social Security numbers, driver's license and government identification numbers, financial information, and protected health information, including medical and health insurance records. The organization finalized its list of affected individuals on July 8, 2025, and submitted breach notifications to state regulators on July 31 and August 6, 2025.

Going deeper

The eight-month gap between the November 2024 attack and the completion of the file review in July 2025 reflects the complexity of investigating ransomware incidents involving unstructured data across organizational networks. Qilin operates a double-extortion model, exfiltrating data before deploying encryption and publishing stolen files when ransoms go unpaid. According to Comparitech, Qilin led all ransomware groups in confirmed healthcare attacks in 2025 with 23 confirmed incidents, and continued as the most active group targeting healthcare providers in Q1 2026 with a further 23 claims. Good Samaritan Health Center responded to the incident by securing its systems, changing passwords, adopting encryption technologies, updating its Security Rule Risk Management plan, implementing new technical safeguards, and initiating periodic security evaluations.

What was said

In its breach notice, Good Samaritan Health Center stated it "immediately secured its systems" upon detecting suspicious activity and engaged a specialized third-party cybersecurity firm to investigate. The organization confirmed it "updated its Security Rule Risk Analysis and worked closely with legal counsel and cybersecurity experts to manage the aftermath of the breach." The center also stated it has no evidence of actual misuse of the compromised data.

In the know

Qilin's targeting of a federally qualified health center fits a documented pattern of the group pursuing organizations with limited security resources and high community dependency. According to Comparitech's 2025 healthcare ransomware roundup, Qilin's confirmed healthcare attacks in 2025 included organizations across the US, Germany, and several other countries, with the group consistently targeting providers whose operational disruption creates the strongest pressure to pay. Federally qualified health centers serve as primary care providers for underinsured and uninsured populations, meaning a prolonged outage directly affects patients with limited access to alternative care.

The big picture

The Good Samaritan breach illustrates the compounding vulnerability of safety-net healthcare providers. These organizations serve patient populations with the greatest healthcare dependency while operating on budgets that constrain investment in security infrastructure. The combination creates exactly the profile ransomware operators seek: high disruption value, limited defensive capability, and patient populations unlikely to have alternatives if care is interrupted. According to Paubox's Small Healthcare Practices report, 20% of small healthcare organizations lack any email archiving or audit trail, leaving them unable to investigate the full scope of an intrusion after it occurs. For a federally qualified health center managing the sensitive data of low-income patients, the gap between attack detection and confirmed breach scope, eight months in this case, represents eight months during which affected individuals had no warning that their Social Security numbers and medical records were in the attacker's hands.

FAQs

What is a federally qualified health center, and why is patient data exposure particularly sensitive?

Federally qualified health centers receive federal funding to provide primary care to underserved populations regardless of ability to pay. Their patient populations often include individuals who face barriers to accessing alternative care, and the combination of medical, financial, and identification data held for those patients creates a particularly complete profile for identity theft and fraud.

Why did the file review take eight months to complete?

Ransomware attacks often expose large volumes of unstructured data across network file systems. Identifying every individual whose information was present requires reviewing each affected file, a process that scales with the volume of data accessed and cannot be shortcut without risking incomplete notification. The HIPAA Breach Notification Rule allows extended timelines where the investigation is genuinely ongoing.

What is Qilin's typical approach to healthcare targets?

Qilin uses double extortion, stealing data before encrypting systems, then publishing stolen files on its dark web leak site when ransoms go unpaid. The group has been the most active ransomware strain targeting confirmed healthcare providers for two consecutive reporting periods and continues recruiting affiliates, expanding its operational reach.

What steps did Good Samaritan Health Center take in response?

The organization secured systems, changed passwords, adopted encryption technologies, updated its Security Rule Risk Management plan and Risk Analysis, implemented new technical safeguards, and initiated periodic security evaluations. It also offered 12 months of complimentary credit monitoring and identity theft restoration services through TransUnion to affected individuals.

What does it mean that Qilin posted evidence on its dark web leak site?

Posting sample screenshots or files on a dark web leak site serves two purposes: it proves to the victim that data was genuinely stolen, increasing ransom pressure, and it signals to other potential victims that the group follows through on its threats. Once data is posted, even a partial sample is accessible to other criminal actors who may use it independently of any ransom outcome.