Ransomware Group Qilin Claims Attack on Rural Mental Health Provider, Records at Risk

Patient records at a rural northeastern mental health provider may be exposed after the ransomware group Qilin posted a claim on its dark web leak site on March 24 targeting Aroostook Mental Health Services, a community mental-health organization serving a rural patient population in parts of the northeastern United States. Researchers warned that patients and records are at risk, though the full scope of any data access or exfiltration has not been confirmed.

The claim against Aroostook Mental Health Services was published on March 24, with the organization operating in the healthcare sector in the United States. No ransom demand or data samples have been publicly detailed in connection with the posting, and Aroostook Mental Health Services had not issued a public statement at the time of publication.

The targeting of a community behavioral health provider fits a documented pattern for Qilin. In May 2025, Qilin was attributed to a breach at Covenant Health that began on May 18, compromising sensitive data belonging to nearly 478,188 patients across multiple facilities, with exposed information including names, dates of birth, medical record numbers, Social Security numbers, and treatment details. Qilin actors practice double extortion, demanding payment for a decryptor as well as for the non-release of stolen data.

The Aroostook claim arrives as Qilin closes out what cybersecurity researchers describe as a historically prolific stretch of activity. With 1,022 cyberattacks to its name, Qilin was the most prolific ransomware operation of 2025. Healthcare was the most targeted sector globally, with 27 incidents recorded in January 2026 alone. In Q2 2025, Qilin replaced RansomHub as the most active ransomware targeting U.S. state, local, tribal, and territorial organizations, increasing from 9% of reported incidents to 24%.

Qilin's expanding focus on U.S. institutions extends well beyond healthcare. Cybersecurity firm Resecurity documented the group claiming responsibility for a September cyberattack on Asahi Group Holdings, Japan's largest beverage manufacturer commanding nearly 40% of the national beer market, according to Morningstar. The attack disrupted operations across the conglomerate's brewing facilities, temporarily halting production and shipping at most of its 30 factories, according to BBC reporting. Qilin alleged the theft of a substantial amount of data from Asahi's systems. As of October 10, all of Asahi's Japanese facilities had partially reopened but computer systems remained down.

In a separate October 15 announcement tracked by Resecurity, Qilin named additional victims including Spain's tax administration agency Agencia Tributaria, Richmond Behavioral Health Authority in Virginia, Centurion Family Office Services LLC, nutraceutical manufacturer Rasi Laboratories, and Victory Christian Center in Tulsa, Oklahoma. Resecurity described October as one of the most "fruitful" months for the group, with Qilin publishing over 50 new victims from geographies spanning Croatia, Grenada, France, Germany, Hungary, Italy, South Korea, Spain, Pakistan, and Qatar.

Qilin also previously claimed responsibility for a May 2025 attack on Cobb County Government in Georgia, alleging the exposure of personal and legal data of local government employees and citizens, with over 150 GB of files including autopsy photos, driver's licenses, and Social Security numbers reportedly stolen.

A prior Qilin attack on a key provider in the London healthcare system resulted in more than 170 cases of patient harm, including two cases of long-term or permanent harm and one patient death. The group shows no discipline in avoiding healthcare providers, municipal services, or other entities that support public health and wellbeing, and it only takes a single well-placed attack to disrupt services to an entire region.

For patients served by Aroostook Mental Health Services, the immediate priority is monitoring for any official notification from the provider, which would be required under federal HIPAA breach notification rules if protected health information was accessed. The FBI and CISA have both issued advisories on Qilin's tactics and indicators of compromise that affected organizations can reference for guidance on response and containment.