-
Hackers stole 25 GB of data from Windward Life Care in California, then leaked it online after the company refused to pay.
-
Months after Windward Life Care’s ordeal, Legend Senior Living in Kansas noticed a breach, which affected thousands plus over 5,000 Texas residents.
-
Both attacks led to the exposure of personal data, including SSNs, medical records, and financial information.
Two US healthcare centers for the senior, Windward Life Care in California and Legend Senior Living in Kansas, suffered ransomware attacks last year.
The attacks compromised sensitive patient data, and the attackers leaked the stolen information on the dark web after neither of the organizations agreed to pay ransom.
Details of the California Attack
Windward Life Care – a company in San Diego offering in-home care to older and disabled adults since 2004, has faced its biggest challenge yet.
Last December, Windward Life Care noticed some weird activity on their network. When they looked into it, they found that an authoritzed party had sneaked into their systems.
The hacker encrypted the company’s database, locking them out. Windward Life Care terminated the access on the same day they discovered it. Unfortunately, things had already gone south and the attacker demanded ransom to release the files. However, the company refused to pay.
A few months back, on January 5, a ransomware gang calling itself Sinobi, took credit for the hack. The crew listed Windward Life Care as one of their victims in a post on their dark web site.
Sinobi said they stole 25 GB of information from the institution’s systems. When no payment came, they published everything online for anyone to see.
It took Windward Life Care until April 6 to finally get round to reviewing the stolen files. And on April 10, they mailed out notification letters to the individuals whose information the hackers stole.
What data got taken? The list is frighteningly long. Names, addresses, email addresses, and Social Security numbers all went missing.
Driver’s license numbers, taxpayer ID numbers, and passport information also got stolen. Financial account numbers, patient identification numbers, and debit or credit card details were compromised too.
Even handwriting or electronic signatures were taken. Medical information, health insurance data, usernames, and other account-related information also fell into hacker hands.
The Kansas Breach
Legend Senior Living in Wichita, which serves overage residents, experienced a crisis of its own. The discovered something was amiss on August 15 2025. Interestingly, based on investigations, the hackers had already broken into their systems since July. Meaning the attackers had been roaming around their network as they pleased for almost three weeks.
They viewed or acquired files with personal and protected health information. Legend Senior Living promptly launched a comprehensive investigation.
The company called in the cybersecurity experts to have a good look at what had happened. They couldn’t complete the review until March 12, 2026, which is over 8 months after the breach. Legend Senior Living started notifying victims on April 10.
The Worldleaks threat group claimed responsibility for this attack. They announced the targeting of Legend Senior Living on September 18, 2025. Worldleaks stated they had seized critical data from the institution and demanded ransom else they’ll release everything online.
Later, when Legend Senior refused to pay, the group went ahead and leaked the stolen data. The breach affected thousands of individuals. Legend Senior Living informed the Texas Attorney General that 5,006 Texas residents alone had their data compromised.
Compromised information included names and Social Security numbers. Driver’s license numbers, state ID numbers, and passport information also got taken.
Financial account information, medical records, and health insurance data were stolen too. The company is now providing 12 months of complimentary credit monitoring. They are offering identity theft protection services through TransUnion to all affected individuals.
Implications of These Attacks and Possible Mitigation Strategies
These attacks can be absolute disasters for the most vulnerable among us, older people living on fixed incomes who can barely scrape by and can’t recover quickly from identity theft.
Stolen Social Security numbers are basically goldmines for scammers. They could use the info to file scam tax returns, open credit cards, and take loans in the name of the victims. In addition, bad actors can use stolen identities to access medical care.
Moreover, exposure of medical information especially bodes badly for older patients. Fraudsters could alter their prescriptions, access their treatment records, or commit insurance fraud.
The dark web is not only used for selling stolen medical data, a recent investigation found that a Scottish care worker shared child abuse fantasies on the dark web, demonstrating the disturbing range of criminal activity that occurs in these hidden online spaces, from healthcare data trafficking to the sharing of illegal and harmful content.
The delayed discovery at Legend Senior Living made things worse. The long interval between incident discovery and response for both companies gives bad actors enough time to use the stolen data however and for whatever they please.
In the meantime, both institutions currently face potential lawsuits and regulatory fines. Chances of the HHS Office for Civil Rights finding them for violating HIPAA are high.
So How Can Care Institutions Protect Themselves?
The first call is to put strong and encrypted offline backup systems in place. Then turn on multi-factor authentication on every remote access point. Also, do security audits and penetration testing from time to time.
And importantly, train employees to spot phishing emails because more than half of ransomware attacks gain access because someone clicked a bad link.
In addition, have an incidence response plan ready before, not after attacks happen. It means you know who exactly to handle what, who to call, and the steps to take should an attack hit.
Finally, think of investing in cyber insurance, it helps shoulder some of the costs of breaches. However, don’t relax thinking insurance will cover you because prevention is always cheaper than recovery.
For individuals worried about their data, freeze your credit. Monitor your bank statements closely. Use identity theft protection services if offered. And remember, if a company offers you free credit monitoring after a breach, take it. Those 12 months from TransUnion could save you years of headache.
