Open Door Health Center Ransomware Claim by INC (May 2026)

Claim Summary

On May 25, 2026, the ransomware group known as INC (incransom) allegedly added Open Door Health Center (ODHC) to its leak site. The threat actor claims to have exfiltrated data from the Illinois-based healthcare provider, which serves a vulnerable population including LGBTQI individuals and those living with HIV/AIDS. The organization operates under the domain odhc.org and has been providing primary care since 1977. The volume of allegedly stolen data remains undisclosed, and no samples or download links have been provided by the group at this time. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

INC ransomware (also tracked as INC Ransom) is a relatively active threat actor that emerged in 2023. While the group’s total known victim count is not publicly documented, they have targeted multiple sectors including healthcare, education, and government. Their operational security is moderate, and they have been known to exaggerate claims to pressure victims into paying ransoms.

Based on available intelligence, INC has been observed using the following tools in their operations:

• Mimikatz: For credential dumping and lateral movement.
• AdFind: For Active Directory reconnaissance.
• Advanced IP Scanner and SoftPerfect NetScan: For network enumeration.
• 7-Zip: For data compression prior to exfiltration.
• BackBlaze and MEGA: For cloud-based data exfiltration.
• Finger: For user enumeration on remote systems.

No public YARA rules or specific detection guidance is currently available for INC ransomware. Organizations should monitor for the use of these tools in their environments as potential indicators of compromise.

Alleged Data Exposure

According to the leak site, INC claims to have accessed and exfiltrated data from Open Door Health Center. The group’s description of the organization highlights its comprehensive medical home approach, including medical assistance, HIV programs, behavioral health, case management, and community outreach. The center specifically caters to LGBTQI individuals and those living with HIV/AIDS.

The exact nature and volume of the allegedly stolen data have not been disclosed. However, given the healthcare context, potential data types could include:

• Patient medical records and treatment histories
• HIV/AIDS status and related health information
• Behavioral health assessments and case management notes
• Personally identifiable information (PII) such as names, addresses, and Social Security numbers
• Insurance and billing information
• Employee and volunteer records

It is important to note that ransomware groups often inflate the scope of their claims to increase pressure on victims. Without independent verification, the actual extent of any data breach remains unknown.

Potential Impact

If the claim is verified, the impact on Open Door Health Center and its patients could be significant:

• Patient Privacy Violations: Exposure of sensitive health information, particularly HIV/AIDS status and LGBTQI-related care, could lead to stigma, discrimination, or personal harm.
• Regulatory Consequences: As a healthcare provider subject to HIPAA, ODHC could face substantial fines and mandatory breach notifications.
• Operational Disruption: Ransomware attacks often involve encryption of systems, potentially disrupting patient care, appointment scheduling, and medical record access.
• Reputational Damage: Trust in the organization’s ability to protect sensitive data may be eroded, affecting patient retention and community outreach efforts.
• Legal Liability: Affected patients may pursue class-action lawsuits for failure to safeguard their data.

What to Watch For

• Official Confirmation: Monitor Open Door Health Center’s website (odhc.org) and official communications for any breach notification or status update.
• Data Leak Monitoring: INC may release additional details or samples to escalate pressure. Yazoul Security’s dark web monitoring will continue to track this claim.
• Phishing and Social Engineering: Stolen data could be used in targeted phishing campaigns against patients or employees. Be cautious of unsolicited communications.
• Regulatory Filings: Check for HIPAA breach reports filed with the U.S. Department of Health and Human Services (HHS) in the coming weeks.
• Network Indicators: Organizations in the healthcare sector should review their environments for the tools listed in the Threat Actor Profile section.

Disclaimer

This report is based on unverified claims made by the INC ransomware group on their leak site. Yazoul Security has not independently confirmed the attack, the exfiltration of data, or the accuracy of the threat actor’s statements. Ransomware groups routinely exaggerate or fabricate claims to coerce victims into paying ransoms. Readers should treat this information with appropriate skepticism and await official confirmation from Open Door Health Center or relevant authorities. No PII, download links, or access credentials are included in this report.