Yesterday, ransomware gang Kawa4096 uploaded the Susan B. Allen Memorial Hospital to its data leak site, alleging to have stolen 210 GB of data. The hospital in El Dorado, Kansas, confirmed it was investigating a potential cyber attack on July 18, 2025, after suffering a system outage.
The hospital first noted disruptions on July 16, when it posted a message on its Facebook page. In it, it said it was experiencing issues with its phone lines but that the Augusta Immediate Care Clinic remained open. On July 18, it issued a statement confirming that it had “detected anomalous activity” in its network, which had led to the IT outage. Patients reported that they were unable to contact the hospital to arrange appointments.
Kawa4096 came forward to claim the attack, uploading various documents as part of its proof pack, including employee authorization forms and patient claim information.
Susan B. Allen Memorial Hospital hasn’t provided any further updates on the attack and hasn’t confirmed Kawa4096’s claims. Comparitech has contacted the hospital for more information, asking whether or not a ransom has been demanded/paid, what information has potentially been impacted, and how many people could have had their data breached. We will update this article if it responds.
Who is Kawa4096?
Kawa4096 first started adding victims to its data leak site in June 2025. Since then, it has claimed nine attacks–four of which have been confirmed by the entity involved. As well as the above, other confirmed attacks include:
- Oriental Guard Research Co., Ltd., Japan: targeted in June 2025 with 42 GB allegedly stolen
- HEIM & HAUS, Germany: first noted an attack on June 24, 2025, with systems being largely restored as of July 10, 2025. Kawa4096 alleges to have stolen 48 GB of data from the German retailer
- Shinchosha Co., Ltd., Japan: the insurance investigation company was also hit in June 2025 with over 34 of its clients believed to have been impacted. Kawa4096 initially claimed the attack on one of these clients but a Japanese cybersecurity company found the stolen files related to the attack on Shinchosha
Little is known about Kawa4096 at this stage, but from its confirmed attacks we can see it operates like many other ransomware gangs by using a double-extortion technique. This enables the group to demand two ransoms — one to decrypt systems and a second to delete stolen data. Trustwave also found that Kawa4096’s ransom notes are almost identical to Qilin’s, while the claims on its data leak site are similar to Akira’s.
Ransomware attacks on US healthcare
So far this year, we’ve noted 48 confirmed attacks on US healthcare providers and are tracking a further 102 unconfirmed attacks.
This attack on Susan B. Allen Memorial Hospital is the second confirmed attack this month so far. This week, Cookeville Regional Medical Center also confirmed it was grappling with a ransomware attack after detecting unusual activity on its systems on Sunday, July 13. At the time of writing, the incident remains ongoing and no hackers have come forward to claim the attack.
Meanwhile, Florida Lung, Asthma & Sleep Specialists (FLASS) has started notifying 10,000 people of a data breach following an attack in May 2025. Names, dates of birth, contact information, and limited medical details have been impacted. Rhysida claimed this attack with a $640,000 ransom for the alleged stolen data.
These attacks highlight the ongoing threat ransomware poses to the healthcare sector as they not only have the potential to wreak havoc through system encryption but can have far-reaching consequences when data is stolen. Nevertheless, our recent report found that attacks on this sector aren’t increasing at the same rate as others, suggesting hospitals and clinics may have improved their security and/or hackers are focusing on other more lucrative industries.
About Susan B. Allen Memorial Hospital
Located in El Dorado, Kansas, Susan B. Allen Memorial Hospital is a not-for-profit organization with 48 beds and over 300 staff members.
