A ransomware group called Rhysida yesterday took credit for a November 2025 data breach at the MACT Health Board. MACT operates several medical clinics in California’s Sierra Foothills serving the local American Indian community.
MACT in January notified an undisclosed number of patients about the breach, which compromised the following personal info:
- Names
- Social Security numbers
- Medical info including:
- Doctors
- Diagnoses
- Insurance info
- Medicines
- Test results
- Images
- Care and treatment
The cyberattack disrupted systems at MACT’s clinics starting November 20, 2025, including phone services, prescription orders, and appointment scheduling. Phone services was restored on December 1, but some specialized imaging services were still unavailable as of January 22.
Rhysida listed MACT on its data leak site yesterday with a ransom demand of eight bitcoin, worth about $662,000 at time of writing. To prove its claim, MACT posted sample images of what it says are documents stolen from MACT. They include several passport scans, among other documents.
The MACT Health Board has not verified Rhysida’s claim and we cannot independently verify the authenticity of the leaked data. We do not know how many people MACT notified, how attackers breached MACT’s network, or if MACT paid a ransom. The Board declined to answer Comparitech’s questions.
“We recently experienced an incident that disrupted the operations of our IT systems,” says MACT’s notice (PDF) to victims. “Our investigation determined that an unauthorized party accessed some of the files on MACT’s systems between November 12, 2025 and November 20, 2025.”
MACT is offering eligible victims free identity monitoring.
Who is Rhysida?
Rhysida is a cybercriminal group that first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected devices. Rhysida operates a ransomware-as-a-service business in which affiliates pay Rhysida to use its malware and infrastructure to launch attacks and collect ransoms.
Rhysida has claimed responsibility for 102 confirmed ransomware attacks in total, plus another 157 attack claims that haven’t been publicly acknowledged by the targeted organizations. Its average ransom demand is about $884,000.
24 of Rhysida’s confirmed attacks hit hospitals, clinics, and other healthcare providers. Those attacks compromised 3.83 million records. They include:
- MedStar Health (MD) reported a September 2025 data breach for which Rhysida demanded $3.1 million
- Spindletop Center (TX) reported a September 2025 data breach for which Rhysida demanded $1.65 million
- Cytek Biosciences (CA) notified 331 people of a breach claimed by Rhysida, which said it sold the breached data
Ransomware attacks on US healthcare
Comparitech researchers logged 109 confirmed ransomware attacks on US hospitals, clinics, and other healthcare providers in 2025 that compromised almost 8.9 million records in total.
Also this week, Insightin Health (MD) confirmed a September 2025 data breach. Ransomware gang Medusa took credit and demanded a $500,000 ransom.
Ransomware attacks on US hospitals, clinics, and other care providers can steal data and lock down infected computer systems. They can cripple critical systems and endanger the health, privacy, and security of patients. Infected hospitals and clinics must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk. Hospitals and clinics might resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.
About the MACT Health Board
MACT stands for Mariposa, Amador, Alpine, Calaveras, and Tuolumne, the five California counties that the MACT Health Board serves. It operates a dozen locations primarily serving the local American Indian community. Those clinics offer medical, dental, behavioral, optometry, and chiropractic care.
