DotHouse Health in Boston this week confirmed it notified 185,795 Massachusetts residents of an October 2022 data breach that compromised patients’ names, medical record numbers, diagnoses, conditions, medications, treatment info, claims info, dates of birth, and addresses.
DotHouse previously reported the breach in January 2023, but only 10,000 victims were mentioned on the US Department of Health and Human Services breach disclosure website at the time. The new figure of 185,795 from the Massachusetts Office of Consumer Affairs and Business Regulation only includes Massachusetts residents. Other states could soon release their own figures and add to the victim count. We’ll update this article as more figures become available.
“On November 28, 2022, DotHouse became aware that certain computer systems in our environment were exhibiting suspicious activity,” says the company’s latest notice (PDF) to victims. “Our investigation determined that an unknown actor gained access to certain systems between October 31, 2022 and November 27, 2022, and appeared to have accessed or downloaded certain files stored on certain computer systems during that time. DotHouse’s electronic medical records database was not impacted during the event.”
Ransomware gang ALPHV/BlackCat took credit for the breach, saying it stole 800 GB of data from DotHouse.
DotHouse has not verified ALPHV/BlackCat’s claim. We do not know if DotHouse paid a ransom, how much ALPHV/BlackCat demanded, how attackers breached DotHouse’s network, or why the reported victim account skyrocketed nearly three years after the breach. DotHouse’s website is partially inaccessible as of time of writing. Comparitech contacted DotHouse Health for comment and will update this article if it replies.
DotHouse is offering eligible victims free credit monitoring through CyEx.
Who is ALPHV/BlackCat?
ALPHV/BlackCat is a now-defunct ransomware group that claimed responsibility for several high-profile data breaches prior to going dark in March 2024, shortly after it allegedly stole Change Healthcare’s $22 million ransom payment from affiliates. ALPHV/BlackCat operated a ransomware-as-a-service scheme in which affiliates paid to use ALPHV/BlackCat’s malware and infrastructure to launch attacks and collect ransoms.
From 2021 to 2024, ALPHV/BlackCat claimed 217 confirmed ransomware attacks that compromised 272 million records. Its average ransom demand was $4 million. Some of its other confirmed attack claims include:
- Norton Healthcare notified 2.5 million people of a May 2023 data breach
- McLaren Health Care notified 2.2 million people of a July 2023 data breach
- Transformative Healthcare (Fallon Ambulance Services) notified 912,000 people of a February 2023 data breach
- MNGI Digestive Health notified 767,679 people of an August 2023 data breach
Ransomware attacks on US healthcare
In 2022, when DotHouse was breached, Comparitech researchers logged 82 confirmed ransomware attacks against US hospitals, clinics, and other direct-care providers. Those attacks compromised 14.9 million records.
The following year, the figures doubled to 169 attacks and 31 million records. We recorded similar numbers in 2024: 167 attacks and 28.2 million records.
In 2025 so far, the pace of attacks has somewhat waned. We’ve logged 44 such attacks affecting 2 million records. Some of this year’s biggest ransomware attacks on healthcare include:
- Frederick Health notified 934,326 people of a January 2025 data breach by unknown ransomware attackers
- Marlboro-Chesterfield Pathology notified 235,911 people of a January 2025 data breach claimed by SafePay
- Central Texas Pediatric Orthopedics notified 140,121 people of a January 2025 data breach claimed by Qilin
- Alabama Opthamology Associates notified 131,576 people of a January 2025 data breach claimed by Qilin
- Bell Ambulance notified 114,000 people of a February 2025 data breach claimed by Medusa
Ransomware groups have made another 101 unconfirmed attack claims against hospitals and clinics in 2025 that haven’t been publicly acknowledged by the targeted organizations.
Ransomware attacks on US hospitals, clinics, and other care providers can both steal data and lock down infected computer systems. They can cripple critical systems and endanger the health, privacy, and security of patients. Infected hospitals and clinics must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk of fraud. Hospitals and clinics might have to resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.
About DotHouse Health
DotHouse Health is a medical clinic in Boston, Massachusetts. It also goes by the name Dorchester House.
