Ransomware victim disclosure
← All victimsCorizon Healthcare
Claimed by Royal · listed 3 years ago
Status timeline
- ListedApr 3, 2023
- Data leakeddate unknown
At a glance
- Group
- Royal
- Status
- Data leaked
- Country
- United States
- Sector
- Healthcare
- Listed on leak site
- Apr 3, 2023
About the victim
AI dossier — public-source company profileCorizon Health (formerly Correctional Medical Services and Prison Health Services) is a private company that provides healthcare services to incarcerated individuals in correctional facilities across the United States. It is one of the largest private prison healthcare providers in the country, serving state and local government correctional systems. The company manages medical, dental, and mental health services for inmates.
- Industry
- Correctional / Prison Healthcare Services
- Employees
- 1001-5000
- Founded
- 1970
Attack summary
Severity: critical — The disclosed data includes protected health information (PHI) of incarcerated individuals, which is regulated under HIPAA, combined with legal records. This constitutes exfiltration of sensitive medical and personally identifiable data at scale for a vulnerable population, meeting the critical threshold.The Royal ransomware group claims to have exfiltrated data from Corizon Health, including legal documents and prisoner health and treatment records. The group has published the data and describes the exfiltrated content as voluminous.
Data the group says was taken
AI dossier — extracted from the leak post- Prisoner medical/health records
- Legal documents
- Treatment records
- Inmate personal information
What the group claims
Corizon Health (CMS and PHS in the past) is a private prison healthcare provider with a very interesting history. The data we took from them is not less interesting. Tons of law docs and other stuff about prisoners' health and their treatment in the institution.You are welcome!
Sources
Source
Indexed 3 years agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

