Gaylord Specialty Healthcare, a Connecticut-based nonprofit health system specializing in rehabilitation, experienced a ransomware attack in December 2024 attributed to the SAFEPAY group. The attackers claimed to have exfiltrated 160 GB of data, which was later posted on the dark web. Forensic investigations confirmed unauthorized access to personal data between December 16–19, 2024, affecting patients and potentially employees. The breach was disclosed to regulators in September 2025, with notifications sent to impacted individuals, offering credit monitoring and identity theft protection. The incident disrupted network connectivity and exposed sensitive personally identifiable information (PII), including medical and financial records. Affected individuals face risks of identity theft, fraud, and misuse of medical data, with legal firms investigating potential compensation claims. The breach underscores failures in safeguarding critical healthcare data, with long-term reputational and operational consequences for the organization.
Source: https://www.claimdepot.com/investigations/gaylord-hospital-data-breach-2025
TPRM report: https://www.rankiteo.com/company/gaylord-specialty-healthcare
"id": "gay2893328092525",
"linkid": "gaylord-specialty-healthcare",
"type": "Ransomware",
"date": "12/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'healthcare (rehabilitation, long-term '
'acute care)',
'location': 'Wallingford, Connecticut, USA',
'name': 'Gaylord Specialty Healthcare',
'size': '~380 employees',
'type': 'nonprofit health system'}],
'attack_vector': 'ransomware (SAFEPAY group)',
'customer_advisories': ['Written notices sent (2025-09-24) with enrollment '
'instructions for credit monitoring.',
'Guidance on fraud alerts, credit freezes, and '
'identity theft reporting.'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (PII, potential health records)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'potential medical/health data']},
'date_detected': '2024-12-16',
'date_publicly_disclosed': '2025-09-24',
'description': 'Gaylord Specialty Healthcare, a nonprofit health system based '
'in Wallingford, Connecticut, experienced a ransomware attack '
'in December 2024. The SAFEPAY group claimed responsibility, '
'alleging they obtained 160 GB of data, which was posted on '
'the dark web. Personal data was accessed without '
'authorization between December 16 and December 19, 2024. The '
'breach was disclosed to the Maine Attorney General’s office '
'on September 24, 2025, with written notices sent to affected '
'consumers on the same day.',
'impact': {'brand_reputation_impact': 'potential damage due to exposure of '
'sensitive patient data',
'data_compromised': '160 GB (alleged)',
'identity_theft_risk': 'high (personally identifiable information '
'exposed)',
'legal_liabilities': 'potential lawsuits (e.g., Shamis & Gentile '
'P.A. investigating for compensation claims)',
'operational_impact': 'disruption of services '
'(inpatient/outpatient care)',
'systems_affected': 'network connectivity disrupted'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': ['patient PII',
'health records']},
'investigation_status': 'completed (forensic investigation concluded by '
'2025-08-25)',
'motivation': 'financial (ransom demand), data exfiltration',
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'SAFEPAY'},
'recommendations': ['Enroll in complimentary credit monitoring/identity theft '
'protection (Cyberscout) within 90 days.',
'Review credit reports (Equifax, Experian, TransUnion) '
'for suspicious activity.',
'Place a one-year fraud alert or security freeze on '
'credit files.',
'Monitor financial statements and insurance ‘explanation '
'of benefits’ for unusual activity.',
'Report suspected identity theft to law enforcement and '
'the Federal Trade Commission (FTC).',
'Review medical/insurance records for inaccuracies.'],
'references': [{'source': 'Shamis & Gentile P.A. (class action investigation '
'notice)'},
{'source': 'Gaylord Specialty Healthcare breach notification '
'(2025-09-24)'},
{'source': 'Maine Attorney General’s office disclosure'}],
'regulatory_compliance': {'legal_actions': ['potential class-action lawsuits '
'(e.g., Shamis & Gentile P.A.)'],
'regulatory_notifications': ['Maine Attorney '
'General’s office '
'(disclosed '
'2025-09-24)']},
'response': {'communication_strategy': ['written notices to affected '
'consumers (2025-09-24)',
'disclosure to Maine Attorney '
'General’s office',
'public advisory via Shamis & Gentile '
'P.A.'],
'incident_response_plan_activated': True,
'recovery_measures': ['credit monitoring for affected '
'individuals',
'identity theft protection services'],
'third_party_assistance': ['forensic investigation team',
'Cyberscout (credit '
'monitoring/identity theft '
'protection)']},
'stakeholder_advisories': ['credit monitoring services (Cyberscout)',
'FTC resources',
'state attorney general contacts'],
'threat_actor': 'SAFEPAY ransomware group',
'title': 'Gaylord Specialty Healthcare Ransomware Attack and Data Breach',
'type': ['ransomware', 'data breach']}