A significant cybersecurity incident has unfolded in northern Arizona, with the pro-Russia ransomware group Stormous asserting that it has stolen extensive patient data from North Country HealthCare. The breach allegedly impacts 600,000 patients across the organization’s 14 sites, raising serious concerns about the privacy and security of sensitive personal and health information. North Country HealthCare, a federally qualified health center, provides a wide array of primary healthcare services, making the potential exposure of such a large volume of patient data particularly alarming for the region.
The Stormous group officially listed North Country HealthCare on its data leak site on July 13, 2025. Their claims specify the theft of “full personally identifiable information (PII), Protected Health Information (PHI), diagnostic codes (ICD), clinic data, [and] provider details.” This encompasses a comprehensive range of sensitive data, including patients’ full names, dates of birth, contact information, details of clinic visits, insurance providers, and medical diagnoses. Such information, if verified, could be highly valuable for malicious activities, including identity theft and various forms of fraud.
Adding to the gravity of the situation, the ransomware group initially announced a two-tiered approach to monetizing the stolen data.
They declared their intention to sell the data of 100,000 patients on the dark web, while the remaining 500,000 patient records would be made publicly available for free. According to a July 15, 2025, update reported by the HIPAA Journal, the files have indeed been published. This public release significantly escalates the risk for affected individuals, as their highly personal medical and identification details are now potentially accessible to a wide audience.
Stormous, known for its “double extortion” model, has been active since early 2022. This model involves both encrypting an organization’s systems and exfiltrating data, then demanding payment to restore access and prevent the public release of stolen information. The group has a history of targeting at least 150 organizations globally, with a particular focus on sectors such as healthcare, hospitality, technology, business services, and government. Their primary geographical targets include Spain, the U.S., UAE, France, and Brazil.
As of now, North Country HealthCare has not yet issued a public statement confirming the cyberattack or data breach, leaving patients and the wider community seeking official information and guidance.
The alleged breach underscores the persistent and evolving threat that ransomware groups pose to healthcare providers, highlighting the critical need for robust cybersecurity measures and prompt communication with affected individuals in the event of a compromise.
Reference:
