Update – 06/03: 12,090 people are now confirmed to have been impacted in this breach.
Next Step Healthcare in Massachusetts over the weekend confirmed it notified thousands of patients of a June 2024 data breach that compromised the following personal info:
- Social Security numbers
- Medical records
- Financial account details
- Drivers’ licenses
- Credit and debit card numbers
At time of writing, two states have disclosed how many of their residents were compromised in the breach: 10,041 in Massachusetts and 1,697 in New Hampshire. We’ll update this article when more states divulge their breach figures.
Ransomware gang Qilin took credit for the attack on July 17, 2024.
Next Step has not verified Qilin’s claim. We do not know if Next Step paid a ransom, how much Qilin demanded, why it took nearly a year to notify victims, or how attackers breached Next Step’s network. Comparitech contacted Next Step Healthcare for comment and will update this article if it replies.
“On or around June 5, 2024, Next Step Healthcare, LLC (‘Next Step’) was alerted to unusual activity within its network,” says the company’s notice (PDF) to victims. “In response, Next Step took steps to secure its environment and enlisted the assistance of outside experts to conduct an investigation. The investigation revealed evidence that data may have been accessed or downloaded without authorization.”
Next Step is offering eligible victims free credit monitoring through IDX.
Who is Qilin?
Qilin is a ransomware gang that began claiming responsibility for attacks on its data leak site in late 2022. Based in Russia, Qilin mainly targets victims through phishing emails to spread its ransomware. It launched in August 2022 and runs a ransomware-as-a-service business in which affiliates pay to use Qilin’s malware to launch attacks and collect ransoms.
In 2024, Qilin claimed responsibility for 37 confirmed ransomware attacks, plus 141 unconfirmed claims that haven’t been acknowledged by the targeted organizations. In 2025 to date, it launched 28 confirmed attacks and 205 unconfirmed claims.
Qilin frequently targets the healthcare industry. Some of its other recently confirmed attacks include:
- Central Texas Pediatric Orthopedics notified 140,121 people of a January 2025 data breach
- Lake Washington Vascular notified 21,534 people of a February 2025 data breach
- Hospital Los Madronos in Spain suffered a Qilin attack in March 2025
- The government of Sasszemklinika, Hungary was hit by Qilin in April 2025
Ransomware attacks on US healthcare
Comparitech researchers logged 162 confirmed ransomware attacks on US hospitals, clinics, and other direct care providers in 2024, compromising 27.2 million records. Another 125 claims remain unconfirmed. In 2025 so far, we recorded 26 confirmed attacks affecting 1.8 million records, plus 90 unconfirmed attacks.
In another recently confirmed attack, Bradford Health Services has started notifying victims of a December 2023 data breach claimed by Hunters International.
On average, it takes hospitals and other healthcare businesses 3.7 months to notify victims of a data breach.
Ransomware attacks on US hospitals, clinics, and other care providers can cripple key systems and endanger the health, privacy, and security of patients. Hospitals must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk of fraud. Hospitals and clinics might have to resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.
Elderly people are at a higher risk of identity theft. The data breached in the attack on Next Step could lead to financial exploitation of victims. More than 6 in 100 elderly people in the United States have been victims of elder fraud.
About Next Step Healthcare
Next Step Healthcare operates 15 home nursing and rehabilitation facilities in Massachusetts. It provides both short- and long-term care.
