In 2023, Singing River Health System in Mississippi was hit by the Rhysida gang. In October 2023, Singing River Health System and its wholly owned subsidiary, Singing River Gulfport notified HHS that 895,204 patients had been affected. In response to the incident, they reportedly implemented a series of improved technical safeguards.
Whatever they did was not enough to prevent an attack in 2025 by the Anubis gang. This one affected 53,888 patients. HealthExec reports:
Last month, Singing River Health System reported official numbers from the incident to the U.S. Department of Health and Human Services’ Office for Civil Rights, which operates a data breach tracker. This came after an investigation into what it called a “cybersecurity incident” that staff at Singing River discovered a few days after cybercriminals were already inside its network.
According to the health system, which said it worked with a third-party cybersecurity firm on its investigation, its network was compromised from Dec. 19-21, 2025, before the unauthorized access was discovered and containment protocols were deployed.
In February 2026, the three-hospital community health network confirmed sensitive patient data was accessed by nefarious actors. Stolen data included contact information, Social Security numbers, dates of birth, IDs, details on patient treatment, diagnostic test results, lists of medications, bank account information, health insurance numbers and provider names.
Read more at HealthExec, which cites claims by Anubis, as reported by Comparitech.
SuspectFile also provides additional details on Anubis’s claims, also noting that some have not been confirmed. SuspectFile reports:
“Access was gained from the provider by brute-forcing the corporate VPN. The password was very weak and ridiculous.”
These are claims that could not be independently verified and must therefore be considered solely as statements from the claimed perpetrators of the attack.
Anubis also claims that, once access was gained, its affiliates remained inside the network for about two weeks to study the infrastructure architecture, analyze business processes, and exfiltrate data.
According Anubis, domain controllers, file servers, NAS systems, and hypervisors were encrypted during the attack.
Read more at SuspectFile.
