Advanced Medical Consultants Ransomware by DragonForce (May 2026)

Claim Summary

On May 14, 2026, the DragonForce ransomware group posted a claim on their dark web leak site alleging a successful attack against Advanced Medical Consultants, a US-based healthcare organization operating under the domain ouradvancedhealth.com. The threat actor claims to have exfiltrated approximately 2,300,000 lines of data, including full patient records, partner agreements, management files, payroll, and HR documents. As part of their extortion tactic, DragonForce asserts they will leak 1,000 lines of patient data daily until a ransom is paid or a countdown timer expires. A sample file named “ADI-Day1.zip” was allegedly hosted on a temporary file-sharing service, though Yazoul Security has not accessed or verified this sample. This claim remains unverified, and no official confirmation from Advanced Medical Consultants has been observed at the time of writing.

Threat Actor Profile

DragonForce is a relatively opaque ransomware group with an unknown total number of confirmed victims, making credibility assessment difficult. The group’s operational security and infrastructure remain poorly documented in public threat intelligence. Based on observed tooling, DragonForce appears to employ a standard suite of post-exploitation and reconnaissance utilities, including Mimikatz for credential dumping, Advanced IP Scanner for network discovery, PingCastle for Active Directory security auditing, and SoftPerfect NetScan for network inventory. These tools suggest a focus on lateral movement and privilege escalation within Windows environments. The group’s lack of a substantial public track record raises questions about their operational maturity and the veracity of their claims. Ransomware groups with limited victim histories often exaggerate data volumes to pressure victims into payment. No YARA rules or specific detection guidance for DragonForce is currently available in public repositories.

Alleged Data Exposure

According to the leak site post, the stolen data includes:

• Full patient data (2,300,000 lines)
• Partner agreements
• Management files
• Payroll records
• HR documents

The threat actor explicitly states they will release 1,000 lines of patient data daily, with the first batch allegedly uploaded to a temporary file-sharing service. This staged leak approach is a common psychological pressure tactic designed to create urgency and demonstrate data possession. However, without independent verification, it is impossible to confirm the authenticity, sensitivity, or volume of the claimed data. Healthcare data is highly regulated under HIPAA, and any confirmed breach involving patient records would carry significant legal and regulatory consequences for Advanced Medical Consultants.

Potential Impact

If the claim is substantiated, the impact on Advanced Medical Consultants could be severe:

• Regulatory Penalties: Potential HIPAA violations could result in fines from the Office for Civil Rights (OCR), ranging from $100 to $50,000 per violation, with annual caps.
• Patient Harm: Exposure of sensitive health information could lead to identity theft, medical fraud, and reputational damage for affected individuals.
• Operational Disruption: Ransomware attacks often involve encryption of systems, leading to downtime, loss of access to critical medical records, and potential delays in patient care.
• Legal Liability: Class-action lawsuits from affected patients and partners are possible if data is confirmed exposed.
• Reputational Damage: Trust in the organization’s ability to protect sensitive data may erode, affecting patient retention and partner relationships.

What to Watch For

• Official Confirmation: Monitor Advanced Medical Consultants’ official website (ouradvancedhealth.com) and press releases for any acknowledgment of a security incident.
• Data Leak Verification: Track the threat actor’s claims of daily data releases. Any confirmed samples would increase the credibility of the attack.
• Regulatory Filings: Check for breach notifications filed with state attorneys general or the U.S. Department of Health and Human Services (HHS) Breach Portal.
• Dark Web Activity: Continued monitoring of DragonForce’s leak site and associated forums for additional data dumps or negotiation updates.
• Detection Guidance: While no YARA rules exist for DragonForce, organizations should review their environment for use of the tools listed above (Mimikatz, Advanced IP Scanner, PingCastle, SoftPerfect NetScan) as potential indicators of compromise.

Disclaimer

This report is based solely on unverified claims posted by the DragonForce ransomware group on their dark web leak site. Yazoul Security has not independently verified the accuracy, authenticity, or scope of the alleged data breach. Ransomware groups frequently exaggerate or fabricate claims to pressure victims into payment. No data samples, download links, credentials, or personally identifiable information (PII) have been reviewed or included in this report. Organizations should treat this information as preliminary and await official confirmation from Advanced Medical Consultants or relevant authorities. For more intelligence on ransomware threats, visit Yazoul Security’s intel section at /intel/.