The Richmond Behavioral Health Authority in Virginia has notified 113,232 people of a September 2025 data breach, according to the US Department of Health and Human Services.
The breach compromised RBHA patients’ names, Social Security numbers, passport numbers, financial account info, and protected health information.
Ransomware gang Qilin took credit for the breach shortly after it occurred and said it stole 192 GB of data. To prove its claim, Qilin posted images of what it says are documents stolen from RBHA on the gang’s data leak site.
RBHA has not verified Qilin’s claim. We do not know how attackers breached RBHA’s network, if RBHA paid a ransom, or how much Qilin demanded. Comparitech contacted RBHA for comment and will update this article if it replies.
“On or about September 30, 2025, RBHA became aware that it
was the victim of a data incident,” says RBHA’s notice (PDF) to victims.
“To date, our investigation revealed that malicious actors gained access to RBHA’s network on or about September 29, 2025, and deployed ransomware to encrypt portions of the network.”
The notice does not mention any offer of free credit monitoring for victims put at risk of identity theft.
Who is Qilin?
Qilin is a ransomware gang that began taking credit for attacks on its data leak site in late 2022. Based in Russia, Qilin mainly targets victims through phishing emails to spread its ransomware. It runs a ransomware-as-a-service business in which affiliates pay to use Qilin’s malware to launch attacks and collect ransoms.
Qilin is the most prolific ransomware gang of 2025. The group claimed responsibility for 152 confirmed ransomware attacks, plus 805 unconfirmed claims that haven’t been publicly acknowledged by the targeted organizations.
Out of those 152 confirmed attacks, 16 hit healthcare providers. The attack on RBHA is the third-largest by number of records affected. The two largest include:
- Usunomya Central Clinic in Japan notified 300,000 people of a February 2025 data breach
- Central Texas Pediatric Orthopedics notified 140,121 people of a January 2025 breach
More recently, Columbia Medical Practice in Maryland started notifying patients of a Qilin-claimed attack in November.
Ransomware attacks on US healthcare
In 2025 to date, Comparitech researchers have logged 85 confirmed ransomware attacks on US hospitals, clinics, and other direct care providers. Those attacks compromised more than 8.1 million records in total. The average ransom demand is $466,000.
Other such recently confirmed breaches include:
- Woodlawn Health (IN) notified patients of a June 2025 ransomware attack by unknown hackers
- Heywood Healthcare (MA) is notifying patients following an October 2025 data breach claimed by Sinobi
- Anchorage Neighborhood Health Center notified 70,555 people of an August 2025 data breach claimed by unknown attackers
Ransomware attacks on US hospitals, clinics, and other care providers can steal data and lock down infected computer systems. They can cripple critical systems and endanger the health, privacy, and security of patients. Infected hospitals and clinics must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk. Hospitals and clinics might resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.
About the Richmond Behavioral Health Authority
The Richmond Behavioral Health Authority is a nonprofit mental health service in Richmond, Virginia. It operates four treatment centers and provides behavioral and primary medical services to about 13,000 people per year, according to the RBHA website.
