AdvancedHEALTH Ransomware Attack by DragonForce (May 2026)

Claim Summary

The ransomware group DragonForce has allegedly claimed responsibility for a cyberattack against AdvancedHEALTH, a US-based healthcare organization operating the domain ouradvancedhealth.com. According to a post on the group’s leak site dated May 14, 2026, the threat actor claims to have exfiltrated approximately 2,300,000 lines of data, described as “FULL patient data, partner agreements, management, payroll and HR files.” The group has threatened to release 1,000 lines of patient data daily until a ransom is paid or a countdown timer expires. A sample file was allegedly posted to a temporary file-sharing service, though this has not been independently verified by Yazoul Security.

Threat Actor Profile

DragonForce is a relatively nascent ransomware group with limited public attribution. While the group’s total known victim count remains undisclosed, their operational security (OPSEC) appears less mature than established groups like LockBit or BlackCat. The group’s claimed arsenal includes common post-exploitation and reconnaissance tools: Mimikatz for credential dumping, Advanced IP Scanner and SoftPerfect NetScan for network discovery, and PingCastle for Active Directory security auditing. These tools suggest DragonForce may rely on initial access brokers or compromised credentials rather than zero-day exploits. The group’s threat to release data incrementally (1,000 lines per day) is an unusual pressure tactic, potentially indicating a smaller operation or limited bandwidth for data publication. No YARA rules or specific detection guidance for DragonForce is publicly available at this time.

Alleged Data Exposure

The threat actor claims the stolen data includes:

• Full patient records (allegedly 2.3 million lines)
• Partner agreements and contracts
• Management correspondence
• Payroll and human resources files

The group posted a link to a sample archive (ADI-Day1.zip) on a temporary file-sharing platform, which they claim contains the first batch of 1,000 patient records. This sample has not been reviewed by Yazoul Security, and its authenticity cannot be confirmed. The group states that subsequent daily leaks will occur at approximately 5 PM UTC until the ransom demand is met or the timer expires.

Potential Impact

If the claims are substantiated, the exposure of patient data would represent a significant breach of protected health information (PHI) under HIPAA regulations. AdvancedHEALTH could face regulatory fines, civil lawsuits, and reputational damage. The inclusion of partner agreements and HR files suggests the breach may extend beyond patient data to include business-sensitive information and employee PII. The daily drip-leak tactic could prolong media attention and increase pressure on the organization, while also providing a steady stream of data for cybercriminals to exploit for identity theft or phishing campaigns.

What to Watch For

• Monitor the group’s leak site for subsequent daily updates to verify the data’s authenticity.
• Watch for any official statements from AdvancedHEALTH regarding the incident.
• Be alert for phishing emails targeting AdvancedHEALTH patients or employees using stolen data.
• Track DragonForce’s activity for future victims to assess their operational patterns.
• Check Yazoul Security’s intel page at /intel/ for any emerging detection guidance.

Disclaimer

This report is based solely on unverified claims made by the DragonForce ransomware group on their leak site. Yazoul Security has not independently confirmed the attack, the data exfiltration, or the authenticity of any samples. Ransomware groups frequently exaggerate or fabricate claims to coerce victims into paying ransoms. All information herein should be treated as preliminary and subject to change upon verification. No patient data, download links, or access credentials are provided in this report.