Signature Healthcare, the Massachusetts-based health system operating Brockton Hospital and a network of outpatient facilities, is still reeling from a ransomware attack first detected on April 6, 2026. The Anubis ransomware-as-a-service (RaaS) group claimed credit on April 9, alleging it exfiltrated 2 terabytes of “critical” and “sensitive” patient information — though Anubis says it chose not to encrypt systems.

A week into the incident, the operational fallout remains severe.

What Happened

On the morning of April 6, Signature Healthcare’s security team detected unauthorized activity across its information systems. The organization immediately activated incident response procedures, engaged third-party forensic investigators, and notified federal law enforcement.

By April 9, Anubis had posted Signature Healthcare to its dark web leak site, claiming possession of 2TB of stolen data including patient records, internal documents, and what it described as sensitive clinical information. Notably, Anubis stated it did not deploy encryption — a deliberate tactical choice that aligns with the group’s evolving playbook of pure data extortion without the operational noise of file encryption.

By Friday April 11, Signature Healthcare had been removed from Anubis’s leak site. A Signature Healthcare spokesperson declined to comment on whether ransom negotiations are underway.

Operational Impact

The attack has forced Brockton Hospital into extended downtime procedures that are still ongoing as of April 11:

  • Emergency department on divert: Ambulances are being redirected to alternate hospitals because critical IT systems required for patient intake and records remain unavailable.
  • Chemotherapy treatments canceled: Infusion appointments have been suspended, directly impacting cancer patients mid-treatment.
  • Paper-based operations: The electronic medical record (EMR) system and patient portal are offline. Clinical staff are documenting on paper charts.
  • Pharmacy limitations: On-site pharmacies can provide consultations but cannot fill prescriptions through normal electronic workflows.
  • Surgical procedures postponed: Some scheduled procedures have been temporarily canceled pending system restoration.

There is no public timeline for full recovery.

Who Is Anubis

Anubis emerged as an active RaaS operation around December 2024 and has been escalating operations throughout 2025 and into 2026. Trend Micro analysts have characterized the group as adding “a destructive edge to the typical double-extortion model” through a file-wiping capability — giving operators the option to destroy data on victim systems rather than merely encrypting it.

The group’s decision not to encrypt Signature Healthcare’s systems while still claiming massive data exfiltration suggests a shift toward pure extortion. This approach reduces the attacker’s operational footprint (no ransomware binary to trigger EDR alerts during encryption) while maintaining leverage through the threat of data publication.

Anubis operates an affiliate model typical of modern RaaS groups, providing infrastructure, negotiation services, and a leak site to recruited operators in exchange for a cut of ransom payments.

What to Do Right Now

Healthcare organizations should treat this as a signal to audit their own exposure:

  1. Validate network segmentation: EMR systems, clinical devices, and administrative networks should be segmented so that compromise of one zone does not cascade into patient-facing operations.

  2. Audit data exfiltration controls: Monitor for large-volume outbound transfers. 2TB does not leave a network silently — if your DLP or network monitoring did not catch it, you have a visibility gap.

  3. Test downtime procedures: If your hospital cannot operate on paper for 72+ hours, your continuity plan needs work. Brockton Hospital is now past the one-week mark.

  4. Review backup and recovery: Anubis chose not to encrypt here, but the next group will. Ensure offline backups exist, are tested, and can restore critical systems within your RTO.

  5. Patch internet-facing assets: Anubis and similar groups routinely exploit known vulnerabilities in VPN appliances, remote access gateways, and web-facing applications for initial access.

Broader Context

Healthcare remains one of the most targeted sectors for ransomware. The FBI’s 2025 Internet Crime Report flagged healthcare as the most-reported critical infrastructure sector for ransomware incidents. Attacks like this one demonstrate that even when encryption is not deployed, the combination of data theft and operational disruption creates enormous pressure to pay.

The removal of Signature Healthcare from Anubis’s leak site — without any public disclosure of a resolution — is a pattern frequently observed when negotiations are active. Whether this ends in payment or public data release, the damage to patient care has already been done.

References