Scattered Spider Breaches Major US Health Insurer — 8.2M Records Exposed

Friday, March 27, 2026 at 12:00 PM UTC·Source: HHS / FBI Joint Advisory

Updated: Saturday, March 28, 2026 at 04:00 PM UTC

Executive Summary

Scattered Spider breaches top-5 US health insurer via help desk social engineering. 8.2M member records including PHI exfiltrated.

Analysis

Scattered Spider social-engineered the IT help desk into resetting an exec MFA token. Deployed legitimate RMM tools, exfiltrated 8.2M records including SSNs, medical diagnoses, prescriptions. Posted sample on leak site with $15M ransom demand. HHS opened HIPAA investigation.

Timeline

Discovered

Mar 20, 2026

Exploitation Detected

Mar 15, 2026

Published

Mar 27, 2026

Source Attribution

Originally published by HHS / FBI Joint Advisory on Mar 27, 2026. Verified by: HHS, FBI, CISA.

Related Threats

HIGHData Breach

NVIDIA confirms GeForce NOW data breach affecting Armenian users

NVIDIA has confirmed in a statement for BleepingComputer that GeForce NOW user information has been exposed in a data breach. [...]

5h agoBleepingComputer

HIGHData Breach

ShinyHunters claims nearly 9,000 schools affected by Canvas data breach

The group that stole data from Instructure users claims that it will release the data of students from nearly 9,000 education institutions around the country. The post ShinyHunters claims nearly 9,000 schools affected by Canvas data breach appeared first on CyberScoop .

8h agoCyberScoop

LOWData Breach

One size does not fit all — sometimes, victims probably should pay ransom

DataBreaches posted the following opinion piece on LinkedIn this morning in my Dissent Doe, PhD account: Last night, Canvas was restored, and the Instructure leak site listing was removed from the threat actors’ leak site. The listing is still not on the leak site as of this morning. Given ShinyHunters’ practices, this usually indicates that... Source

9h agoDataBreaches.net