SuspectFile reports that two well-known ransomware gangs independently attacked and encrypted files from Resource Corporation of America (RCA), a revenue cycle management business associate headquartered in Texas.
What happened next is not totally clear because neither the Qilin gang nor the victim provided any details, but SuspectFile reports that the Medusa gang provided some information :
On January 4, 2026, the Medusa group listed RCA as a victim on its DLS, publishing the company’s name along with approximately 30 allegedly exfiltrated documents, marking the start of the typical public pressure phase of double-extortion ransomware operations. At that stage, Medusa claimed possession of additional data.
Subsequently, the Qilin group also listed RCA on its DLS, indicating that the same organization had been compromised in a separate ransomware operation.
Medusa provided a statement clarifying the sequence of events from their perspective: both Medusa and Qilin stole sensitive data and encrypted RCA’s network. Medusa further stated that the company contacted Qilin and not Medusa for negotiations, that Qilin informed Medusa about the contacts, and that the groups discussed a minimum ransom price. RCA ultimately refused the proposed terms, resulting in the failure of negotiations.
Both of our team and Qilin group, stole sensitive data and both encrypted their network.
Company contacted Qilin, not us. Qilin group informed us that company contacted to them and we discussed minimum price.
Company disagreed our price and finally negotiation failed.
Medusa subsequently leaked approximately 70 GB of data, allegedly from RCA. SuspectFile reports that it contains a lot of what appears to be protected health information of patients “such as full names, dates of birth, sex, full residential addresses, copies of identity documents (passports, driver’s licenses, Social Security Numbers), and thousands of patient records with account numbers, Patient IDs, Medical Record Numbers, insurance types and policy numbers, and guarantor information.” SuspectFile does not indicate whether the data were validated as real, and RCA did not respond to the journalist’s inquiries.
For its part, Qilin still lists RCA on its darkweb leak site, but they did not post any proof of claims when they added it to their site on January 12, and have not posted any data since then.
So what really happened? Did both gangs gain access to RCA via the same means, such as compromised credentials from an infostealer log? Did they both access and encrypt or acquire the same data? Did Qilin and Medusa agree on one price that they would split to decrypt all files, with Medusa doing the negotiating for both gangs?
There is much that we do not yet know about this incident.
Hopefully RCA had recent and usable backup files. As a HIPAA-regulated entity, they can reasonably expect HHS OCR may have a lot of questions about their risk assessment and security controls for PHI. And as SuspectFile reports, one potential class-action lawsuit has already been filed.
