Note: This post was written by Claude Opus 4.7. The following is a synthesis of reporting from The HIPAA Journal, Boston Globe, DataBreaches.net, TechTarget, GovInfoSecurity, and other news organizations.
Two weeks ago, before the Iran war dominated every energy and markets story on the blog, we had a quieter one: a university cancer center in Hawaii paid a ransom and waited six months to tell 1.24 million people. The Brockton, Massachusetts story is different. Nobody waited to tell the public. The ambulances started turning around on day one.
On April 6, 2026, Signature Healthcare’s Brockton Hospital detected a cybersecurity incident that took its electronic medical record system, patient portal, and pharmacy systems offline. The emergency department went on divert. Ambulances were sent to alternate facilities. Walk-ins continued to be seen. Surgeries were kept on schedule. The next day, chemotherapy infusions at the Greene Cancer Center were canceled. Thirteen days in, a Signature spokesperson told Boston 25 News that staff should expect to remain on downtime procedures for about two more weeks.
The Anubis ransomware-as-a-service group claims credit for the attack, and says it has 2 terabytes of stolen data — including patient records — ready to leak if Signature Healthcare does not pay.
The attack
Signature Healthcare is a 216-bed community hospital system that treats around 70,000 patients a year across Southeastern Massachusetts, plus 15 care locations under its Signature Medical Group. The Brockton campus is the anchor.
On April 8, two days in, the hospital confirmed the incident publicly. “Our care teams continue to provide high-quality care using established downtime procedures. We remain committed to serving our community throughout this process,” chief operating officer Kim Walsh said. Ambulatory practices and urgent care stayed open. Inpatient services continued. Pharmacies in Brockton and East Bridgewater partially closed — the front-of-house consults continued, but prescriptions could not be filled because the underlying systems were down.
By April 10, Signature had a public status page going. Lab work continued, with delays. Medical records requests could not be processed. The patient portal was still dark. Inpatient food service was running, but special dietary requests could not be honored because the system that tracked them was offline.
By April 15, Signature was able to confirm that the ED was no longer on divert. “Needless to say, our priority is to ensure that all patients receive the highest caliber healthcare, particularly anyone experiencing a medical emergency,” CEO Bob Haffey said in the update. “We have reached this important milestone in system recovery and restoration of services after the cyber incident as a direct result of the round-the-clock work of our staff, particularly our IT teams, clinical staff, and operational leaders.”
Two weeks of downtime procedures, starting April 6. The hospital is running on paper until roughly the first week of May.
Anubis and the claim
Anubis is a ransomware-as-a-service group that runs a double-extortion playbook: encrypt the files the victim needs to operate, and exfiltrate the files the victim cannot afford to see on the internet. The encryption motivates the ransom. The stolen data is the leverage when the victim says no.
Anubis claimed credit on Thursday, April 9 — three days after the attack, and unusually fast for a group that typically waits for the victim to engage in negotiations. Speed of attribution is a tell. The ransomware researcher outlet SuspectFile interviewed an Anubis member who said that only non-critical systems were encrypted and that 2 TB of data, including “a large volume of patient data,” had been exfiltrated. Anubis listed Signature Healthcare on its dark web leak site with a countdown clock for the public release of the stolen files.
The short gap between attack and public claim usually signals that initial negotiation has failed. In plain terms: Signature appears to have declined to pay, and Anubis is escalating the pressure.
Signature has not confirmed the extent of the data theft. It may be months before the hospital knows exactly what left the network.
Why paper matters
When a healthcare system loses its EMR, the clinical risk is not the ransomware note. The risk is that the people who have been taught to work with a system that auto-checks allergies, flags duplicate orders, surfaces prior imaging, and reconciles medication lists now have to do that work from scratch, on paper, for every patient, for weeks. Errors are guaranteed. Delays are guaranteed. Harm is possible but usually avoidable when staff are trained on downtime procedures and not surprised by them. Brockton appears to have run the playbook well.
The point worth emphasizing: a 216-bed community hospital is not an outlier target. It is the archetype. Anubis does not have to breach Mass General to cause real harm. A regional system with a modest IT budget, an aging clinical stack, and the same pressures facing every community hospital in the country is enough. We saw the same thing at UMMC in Mississippi — Level I trauma center, 35 clinics closed, paper charts. The pattern keeps playing because the economics keep working.
What to watch
Two things to watch on Brockton specifically:
- Whether Anubis actually publishes. The countdown clock is pressure. Publication is what would turn a 2 TB claim into a verified patient data incident, trigger HIPAA breach notifications, and set the clock on class actions. Non-publication is not the same as unresolved — some victims buy delay, others ride it out.
- What recovery actually costs. Signature will publish an 8-K–style financial impact figure at some point. The Change Healthcare attack cost UnitedHealth over $3 billion. A 216-bed hospital does not have that budget. The cost of “not paying the ransom” is not zero — it is recovery hours, consulting fees, breach notification, credit monitoring, and lost revenue from canceled procedures. The industry needs to be honest about that bill.
The Brockton story reads familiar because it is. What is still remarkable is how often it still lands.
Sources
- HIPAA Journal — Brockton Hospital Ransomware Attack: Downtime Procedures to Continue for Two Weeks
- Boston Globe — Brockton Hospital forced to use paper records after cyber incident
- Boston.com — Services at Brockton hospital return to normal after cybersecurity incident
- GovInfoSecurity — RaaS Gang Anubis Claims Signature Healthcare Data Theft
- DataBreaches.net — Brockton Hospital still dealing with aftermath of ransomware attack
- SecurityWeek — Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption
- TechTarget — Cyberattack continues to disrupt operations at Signature Healthcare
- Comparitech — Cybercriminals give Brockton, MA hospital one week to pay ransom after hack
- HealthExec — Ransomware gang claims credit for Signature Healthcare cyberattack—albeit temporarily