The Qilin ransomware group said it is responsible for the February 10th hack of a prestigious cancer treatment center in Japan, exposing the sensitive health information of 300,000 patients and leaving its hospital system “unusable.”
The Utsunomiya Central Clinic (UCC) cancer treatment center first alerted the public to the ransomware attack on its website on February 18th, roughly a week after announcing it was experiencing technical difficulties with its network systems.
Located in Utsunomiya city on Japan’s main Honshu island, the clinic stated that once it discovered the breach, it took measures “to disconnect the server from the internet and the hospital's network,” forcing the clinic to limit its medical care services.
“As a result, our in-house system has been unable to be used, and for the time being, we will be restricting our consultation and medical checkup services,” the cancer diagnostic and treatment facility said on its website, translated to English.
According to the Russian-linked ransomware gang, which posted the cancer clinic on its dark leak blog, UCC's network has been encrypted, and “135GB of medical data related to Japanese citizens leaked from there,” the equivalent of "178,319 files."
The specialized cancer clinic was founded by one of Japan’s cutting-edge longevity health practitioners, Dr. Toshihiko Sato, to focus on early detection and treatment of cancer, including breast cancer, which causes around 30% of deaths in modern Japanese society.
Qilin stated that UCC’s “management refused to communicate with us to protect the data leaked from own network,” boasting it had taken various medical and personal data related to Japanese citizens, including patient data and medical records, specific medical examinations, radiology and X-ray data records, BOD secretary data, and ECG and ECG-Holter data.
The Utsunomiya Central Clinic UCC provided a comprehensive list of the patient data stolen from the cases of approximately 300,000 people:
- Patient Name, date of birth, gender, address, telephone number, email address, medical information, health check information, etc.
- Personnel information on doctors, nurses, and employees involved with the hospital; Name, date of birth, gender, address, telephone number, etc.
The cancer clinic said patient financial and credit card data, as well as patient My Numbers (Japan’s social security numbers), were not compromised in the breach.
Qilin additionally provided six samples from the treasure trove of electronic protected health information (ePHI) it allegedly exfiltrated from UCC servers.
Cybernews can confirm those samples appear to show treatment cases, several radiology images showing cancer diagnotsics, and what appears to be professional medical documents/licenses.
“It is not recommended to use UCC's services since your very sensitive data and even gut photos might become public because of Toshihiko Sato's inconvenience. Your health data is not safe there,” the group taunted patients in its post.
UCC officials are urging its customers “to be cautious about direct mail, suspicious emails, and fraudulent phone calls” pretending to be from members of the Utsunomiya Central Clinic.
The cancer facility has further set up a hotline for patients to call for more information, and says it will post updates on its website when the clinic will re-open.
Who is Qilin?
The lesser-known Qilin gang has been stepping up its attacks since the start of 2025. Just last week, the group claimed responsibility for ransomware attacks on the Houston Symphony, the local Detroit PBS, and its most significant victim so far this year, the US newspaper conglomerate Lee Enterprises, attacked on February 3rd.
Qilin, also known by some security insiders as Agenda, is believed to be Russian-speaking, as the gang vows to avoid targeting Commonwealth of Independent States known as CIS nations.
The group, which operates using a ransomware-as-a-service (RaaS) model, first appeared on the ransomware circuit in 2022 and is known for using double extortion tactics on its victims.
It’s recently updated ransomware variant Qilin.B is said to be customizable for affiliates, offers multiple encryption methods, and written in the Rust programming language, according to a January 2025 Blackpoint profile on the gang.
Showing a steady stream of attacks over the last 12 months, Qilin’s overall victim count is clocked at 191 attacks, according to the Cybernews Ransomlooker monitoring tool, with a spike of 29 victims listed on its dark blog in just the last month.
In 2024, Qilin was responsible for the high-profile attack on the UK’s National Health Services (NHS) partner Synnovis labs, which disrupted services at multiple London hospitals for weeks, causing the NHS to declare a “critical incident” and came with an alleged $50 million ransom demand.
A 2023 March undercover investigation by Group-IB had shed some light into the inner workings of the gang, initially seen targeting its victims with phishing emails.
The group has more recently been linked to exploiting its victims by harvesting Google Chrome credentials, and by stealthily evading or disabling Endpoint Detection and Response (EDR) systems, BlackPoint said.
It has been observed exploiting the well-known “Citrix Bleed,” zero-day vulnerability, also used last year by the ALPHV/BlackCat ransom group in the massive United Health attack.
The Citrix bug was disclosed by the cloud computing company in 2023. Although it has since been patched, many companies have been slow to update their systems, leaving them exposed to attacks.
Other past Qilin victims include Yanfeng, one of the top North American auto parts suppliers for GM and Chrysler, Jeep, Dodge, and Ram.
Your email address will not be published. Required fields are markedmarked