AdvancedHealth and Heart of Texas Behavioral Health Network: Cybercriminals say they breached AdvancedHealth, Tennessee clinic confirms

DragonForce Ransomware Group Claims Attack on Tennessee Healthcare Provider AdvancedHealth

The ransomware group DragonForce has taken responsibility for a cyberattack on AdvancedHealth, a Tennessee-based healthcare network operating over 200 clinics and serving 550 providers. The breach, disclosed in late April by one of its affiliates, Columbia Surgical Partners, involved the theft of 390 GB of data, including 2.3 million lines of patient records, partner agreements, payroll, and HR files.

On May 14, DragonForce threatened to leak 1,000 lines of stolen data daily unless its ransom demand was met. AdvancedHealth has not confirmed the attack or responded to the group’s claims, and key details such as the breach method, ransom amount, or whether a payment was made remain unconfirmed. The incident disrupted electronic medical record access at Columbia Surgical Partners, according to local reports.

DragonForce, a ransomware-as-a-service (RaaS) operation active since December 2023, has claimed 167 attacks in 2026, though only 14 have been verified by victims. The group has previously targeted healthcare organizations, including:

• Asheville Eye Associates (November 2024, 204,984 affected, $7M ransom demanded)
• Heart of Texas Behavioral Health Network (October 2023, 63,776 affected)
• Greater Cincinnati Behavioral Health Services (December 2023, 62,036 affected)
• Neurological Associates of Washington (December 2025, 13,500 affected)

The attack on AdvancedHealth adds to a growing trend of ransomware incidents in U.S. healthcare, with 14 confirmed breaches in 2026 alone. Recent cases include attacks on Signature Healthcare (Anubis), Minidoka Memorial Hospital (Blackwater), and Mile Bluff Medical Center (unknown attacker). Such breaches can disrupt critical systems, force manual record-keeping, delay care, and expose sensitive patient data.

Source: https://www.comparitech.com/news/cybercriminals-say-they-breached-advancedhealth-tennessee-clinic-confirms/

AdvancedHEALTH cybersecurity rating report: https://www.rankiteo.com/company/advancedhealth

Advanced Heart Care cybersecurity rating report: https://www.rankiteo.com/company/advanced-heart-care

"id": "ADVADV1779128933",
"linkid": "advancedhealth, advanced-heart-care",
"type": "Ransomware",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': '2.3 million lines of patient '
                                              'records',
                        'industry': 'Healthcare',
                        'location': 'Tennessee, USA',
                        'name': 'AdvancedHealth',
                        'size': '200 clinics, 550 providers',
                        'type': 'Healthcare Network'},
                       {'industry': 'Healthcare',
                        'name': 'Columbia Surgical Partners',
                        'type': 'Healthcare Affiliate'}],
 'data_breach': {'data_exfiltration': 'Yes',
                 'number_of_records_exposed': '2.3 million lines of patient '
                                              'records',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (Personally Identifiable '
                                        'Information, medical records)',
                 'type_of_data_compromised': ['Patient records',
                                              'Partner agreements',
                                              'Payroll',
                                              'HR files']},
 'date_publicly_disclosed': '2026-04',
 'description': 'The ransomware group DragonForce has taken responsibility for '
                'a cyberattack on AdvancedHealth, a Tennessee-based healthcare '
                'network. The breach involved the theft of 390 GB of data, '
                'including 2.3 million lines of patient records, partner '
                'agreements, payroll, and HR files. DragonForce threatened to '
                'leak 1,000 lines of stolen data daily unless its ransom '
                'demand was met. The incident disrupted electronic medical '
                'record access at Columbia Surgical Partners, an affiliate of '
                'AdvancedHealth.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'data breach and ransomware threat',
            'data_compromised': '390 GB of data, including 2.3 million lines '
                                'of patient records, partner agreements, '
                                'payroll, and HR files',
            'identity_theft_risk': 'High',
            'operational_impact': 'Disrupted operations at Columbia Surgical '
                                  'Partners, forced manual record-keeping, '
                                  'potential delays in care',
            'systems_affected': 'Electronic medical record access'},
 'motivation': 'Financial gain',
 'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'DragonForce'},
 'references': [{'source': 'Cyber Incident Description'}],
 'regulatory_compliance': {'regulations_violated': ['HIPAA (potential)']},
 'threat_actor': 'DragonForce',
 'title': 'DragonForce Ransomware Attack on AdvancedHealth',
 'type': 'Ransomware'}