Rocky Mountain Care discloses ransomware attack, Qilin claims responsibility

A Utah provider of skilled nursing and home health services for seniors has confirmed unauthorized access to its network following a ransomware claim posted to the dark web in February.

What happened

Rocky Mountain Care, a Woods Cross, Utah-based provider of skilled nursing care and home health services to seniors in Utah and Wyoming, has disclosed a cybersecurity incident in which an unauthorized third party gained access to certain files on its network. According to the company's official breach notice, published on March 27, 2026, the investigation determined that certain information was viewed or taken without authorization between January 30 and February 2, 2026. The Qilin ransomware group subsequently posted Rocky Mountain Care to its dark web data leak site on February 23, 2026, issuing a ransom demand and threatening to publish the stolen data if payment was not made. Rocky Mountain Care has not disclosed whether a ransom was paid. A review of the affected data is currently underway to determine whether protected health information is involved, and the organization said it will notify affected individuals directly once that review is completed.

What was said

In its breach notice dated March 27, 2026, Rocky Mountain Care stated: "Rocky Mountain Care takes this event and the security of personal information seriously. Upon becoming aware of the event, Rocky Mountain took steps to secure the network, investigate the activity, and determine the scope of impacted information. Rocky Mountain engaged third-party specialists to investigate and respond to this event." The organization encouraged individuals to remain vigilant against identity theft and fraud by reviewing their accounts and credit reports for suspicious activity.

In the know

Qilin has established a pattern of targeting healthcare organizations using double extortion tactics, which involve both encrypting victim systems and threatening to publish stolen data unless a ransom is paid. According to BleepingComputer, Qilin claimed responsibility for a May 2025 attack on Covenant Health, a Catholic healthcare provider operating hospitals, nursing and rehabilitation centers, and elder care organizations across New England. In that case, the group claimed to have stolen 852 GB of data comprising nearly 1.35 million files, with the breach ultimately affecting approximately 478,000 patients. The two incidents share a notable profile overlap: both organizations serve elderly and long-term care populations whose medical records carry particular value to ransomware operators operating under a double extortion model.

The big picture

Qilin has grown rapidly into one of the most active ransomware operations targeting the healthcare sector. According to The Hacker News, the group claimed more than 40 victims every month through most of 2025, reaching a high of 100 claimed attacks in June and 84 each in August and September. The group is responsible for 29 percent of all ransomware attacks tracked in late 2025, according to NCC Group data cited in the same report. Qilin's affiliate program allows operators to retain 80 to 85 percent of ransom payments, making it financially attractive to cybercriminals looking for a capable and well-resourced platform. According to Paubox's 2025 Healthcare Email Security Report, ransomware attacks on healthcare organizations have surged 264 percent since 2018, according to the HHS Office for Civil Rights, and the IBM Cost of a Data Breach Report puts the average healthcare breach cost at $9.8 million, the highest of any industry for 14 consecutive years. Long-term care and skilled nursing organizations like Rocky Mountain Care often operate with constrained IT resources, making them particularly exposed to ransomware groups with the capability to move quickly through a network and exfiltrate data before triggering encryption.

FAQs

What is double extortion ransomware, and how does Qilin use it?

Double extortion ransomware involves attackers both encrypting an organization's files and stealing data before triggering the encryption. Attackers then demand payment to both restore access and prevent the stolen data from being published. Qilin operates a dark web data leak site where it posts victim names and sample data as leverage to pressure organizations into paying.

Why are skilled nursing and long-term care organizations at increased risk from ransomware?

These organizations often hold detailed medical, financial, and personal records for elderly patients with chronic conditions, making the data highly sensitive. They may also operate with smaller IT teams and tighter budgets than acute care hospitals, creating vulnerabilities that ransomware groups can exploit more easily.

Has Rocky Mountain Care confirmed whether a ransom was paid?

No. Rocky Mountain Care has not publicly disclosed whether it paid or declined to pay the ransom demanded by the Qilin group. The investigation and data review remain ongoing.

What types of information may have been affected?

The organization has not yet confirmed the specific data types involved. The review of impacted files is ongoing, and Rocky Mountain Care has indicated it will notify affected individuals directly once that review is complete.

What steps can long-term care organizations take to reduce ransomware risk?

Organizations should implement regular offline backups that cannot be encrypted remotely, apply multi-factor authentication across all systems, conduct network segmentation to limit lateral movement, and develop and test incident response plans that include manual fallback procedures for patient care operations in the event of system disruption.