A ransomware group called Rhysida today took credit for a November 2025 data breach at Cytek Biosciences, a medical manufacturer based in Fremont, California.
Cytek sent data breach notices to 331 people in November. According to the notice, the following personal info was compromised in the breach:
- Name
- Social Security number
- Health and medical info
- Financial account and compensation info
- Cytek employee account usernames and passwords
- Postal addresses
- Email addresses
- Phone numbers
- Dates of birth
- Government-issued ID numbers (e.g. driver’s license)
- Signatures
- Citizenship status
Rhysida listed Cytek on the cybercriminal group’s data leak site, where it claims to have sold the stolen data. To prove its claim, Rhysida posted samples images of what it says are documents stolen from Cytek. They appear to include design documents for Cytek products.
Cytek has not acknowledged Rhysida’s claim and we cannot independently verify the authenticity of the documents. We do not know if Cytek paid a ransom, how much Rhysida demanded, or how attackers breached Cytek’s network. Comparitech contacted Cytek for comment and will update this article if it replies.
“Cytek Biosciences, Inc. (“Cytek”) experienced a data security incident involving unauthorized access to certain of our systems that occurred on or around November 1, 2025. Based on our investigation, we learned on or around November 28, 2025, that, in connection with this issue, an unauthorized party obtained certain of your personal information,” says Cytek’s November notice to breach victims.
Cytek is offering eligible victims 24 months of free identity theft protection through Experian. The deadline to enroll is April 30, 2026.
Who is Rhysida?
Rhysida is a cybercriminal group that first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected devices. Rhysida operates a ransomware-as-a-service business in which affiliates pay Rhysida to use its malware and infrastructure to launch attacks and collect ransoms.
Rhysida has claimed responsibility for 258 ransomware attacks since it first opened shop. 101 of those attacks were acknowledged by the targeted organizations. The group’s average ransom demand is $845,000.
Rhysida claimed attacks against 23 healthcare providers prior to Cytek, though this is the group’s first confirmed attack on a healthcare manufacturer.
In September 2025, Rhysida took credit for data breaches at MedStar Health in Maryland and Spindletop Center in Texas. It demanded $3.09 million and $1.65 million, respectively.
Ransomware attacks on US medical manufacturers
In 2025, Comparitech researchers logged 25 confirmed ransomware attacks on US healthcare businesses that don’t provide direct care, such as medical device manufacturers, pharmaceutical companies, and medical software developers.
Those attacks combined breached more than 5.86 million records. Other such recently confirmed ransomware attacks include:
- Fieldtex Products notified 274,000 people of an August 2025 data breach claimed by Akira
- Avosina Healthcare Solutions notified more than 44,000 people of a July 2025 data breach claimed by Qilin
- Mid Michigan Medical Billing Service notified more than 28,000 people of a March 2025 data breach claimed by Qilin
Ransomware attacks on healthcare businesses can both lock down computer systems and steal data. These attacks often compromise data belonging to the business’ clients, such as patient data from hospitals and clinics. They can cripple critical systems and endanger the health, privacy, and security of patients. Targeted companies must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk.
About Cytek Biosciences
Based in Fremont, CA, Cytek makes and supplies cytometry products and services. Researchers and clinicians use Cytek instruments to analyze cells. It employs more than 500 people, according to its LinkedIn page.
