Ransomware victim disclosure

Open Door Health Center

Claimed by incransom · listed 6 days ago

Age

since listed · data leaked

Status timeline

Listed
May 25, 2026
Data leaked

At a glance

Group: incransom
Status: Data leaked
Country: US
Sector: Healthcare
Listed on leak site: May 25, 2026

About the victim

AI dossier — public-source company profile

Open Door Health Center is a Illinois-based community health center founded in 1977 that provides comprehensive primary healthcare services with a focus on underserved populations, particularly LGBTQI individuals and people living with HIV/AIDS. Services include medical assistance, HIV programs, behavioral health, case management, and community outreach, operating on a medical home model.

Industry: Community Health Center / Primary Care
Founded: 1977

Attack summary

Severity: critical — Healthcare provider with confirmed data exfiltration; patient records including sensitive HIV/AIDS and behavioral health information constitute regulated PHI under HIPAA. Scale and specific proof files unknown, but the nature of the data exposed is inherently sensitive.

The incransom group claims to have exfiltrated data from Open Door Health Center. The specific data categories and operational impact are not detailed in the available post excerpt.

critical

Data the group says was taken

AI dossier — extracted from the leak post

Patient medical records
HIV/AIDS treatment information
Behavioral health records
Case management files
Personal health information

What the group claims

Open Door Health Center of Illinois offers a comprehensive medical home approach to primary health care, focusing on improving community health since 1977. Their services include medical assistance, HIV programs, behavioral health, case management, and community outreach, catering especially to LGBTQI individuals and those living with HIV/AIDS. The center aims to provide affordable and accessible healthcare without discrimination, while also engaging in education and training initiatives. Their intended clients include patients in need of medical care, community members seeking support, and volunteers looking to contribute to health equity.

Sources

Leak posthttp://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures/6a101ddfd152110a6a6658dc

Source

Indexed 6 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About incransom

Incransom is a ransomware group that emerged in August 2023, operating with primarily financial motivations as evidenced by their targeting of high-value sectors across multiple developed nations. The group's origin and specific affiliations remain undocumented by major threat intelligence organizations, though their operational patterns suggest they likely operate independently rather than as a ransomware-as-a-service model. With 734 documented victims, Incransom has demonstrated a preference for targeting organizations in the United States, Canada, United Kingdom, Germany, and Australia, with particular focus on healthcare, technology, business services, and manufacturing sectors, though their attack methodology and specific technical capabilities have not been extensively documented by established security researchers or government agencies. The group's notable campaigns and specific high-profile victims have not been publicly detailed by CISA, FBI, Mandiant, or other reputable threat intelligence sources, suggesting either operational security effectiveness or limited visibility into their most significant operations. Based on available intelligence, Incransom appears to remain active as of recent reporting periods, though comprehensive analysis of their current operational status requires additional documentation from established threat intelligence sources. The group has been linked to 812 public disclosures across our corpus. First observed on a leak site on August 9, 2023; most recent post May 28, 2026. The operation is currently active.

Also tracked as: inc ransom.

Timeline of this disclosure

May 25, 2026Open Door Health Center listed by incransomon the group's public leak site

Other recent disclosures by incransom

incransom has been linked to 812 public victims on Darkfield. A sample of the most recent: