Madison Healthcare Services, a regional healthcare organization based in Madison, Minnesota offering family medicine, primary care, behavioral health, senior services, and specialty care, suffered a data exfiltration attack between July 2025 and August 2025. MHS identified suspicious network activity, engaged outside cybersecurity specialists, and confirmed unauthorized access through forensic investigation. The WorldLeaks ransomware group claimed responsibility on September 23, 2025 by listing MHS on its Tor-based leak site. MHS posted a public notice on December 1, 2025 and filed with HHS on December 2, 2025 using a 500-individual placeholder figure pending file review.

The breach affected approximately 24,000 individuals based on records indexed by breach-tracking services. Compromised fields included names, email addresses, phone numbers, home addresses, and Social Security numbers. As an integrated rural healthcare organization with senior and rehabilitation services, the underlying records exfiltrated by the attackers also include patient and resident identity, insurance, billing, clinical, and treatment information typical of family medicine, behavioral health, and long-term care operations, beyond the more limited field set surfaced publicly.

For affected patients, residents, and family members, the practical risk profile is unusually severe given the inclusion of senior-care patients. The combination of name, address, and Social Security number is a strong base for synthetic identity fraud and fraudulent credit applications. Inclusion in the dataset confirms a healthcare relationship in a small rural community where individuals may be readily identifiable based on name and address alone. Senior-care residents and their family members are an unusually attractive target for fraud schemes that exploit cognitive vulnerability or family-emergency framings. Affected individuals should freeze credit at all three U.S. bureaus, monitor health-insurance and Medicare statements closely, alert family members of elderly patients to be cautious of unsolicited contact, and treat unsolicited communications referencing MHS, senior services, or behavioral health programs with caution.

Long-term care and rehabilitation providers collect patient or resident identity, contact, insurance, billing, treatment, and family or guardian records across care operations.

Madison Healthcare Services identified suspicious network activity in late summer 2025 and engaged third-party digital forensics specialists. The forensic investigation confirmed unauthorized access to its network between July 2025 and August 2025. The WorldLeaks ransomware group, an active 2025 threat actor that has also targeted Coalinga Regional Medical Center, Myrtue Medical Center, Family Farm and Home, and Heritage Communities, claimed responsibility on September 23, 2025 by listing MHS on its Tor-based leak site. MHS posted a public notice of the incident on December 1, 2025 and reported the breach to the U.S. Department of Health and Human Services on December 2, 2025 using a placeholder figure of 500 affected individuals pending the file review. Class-action investigations by U.S. plaintiff law firms began organizing in December 2025.