A home security company couldn't keep its own customers safe. A Wisconsin grandma drove an hour for a prescription. A Minnesota county had to call the National Guard to renew a driver's license. This is what a bad week looks like.
One phone call cost ADT 5.5 million customer records. A pharmacy counter went dark in Wisconsin. The National Guard rolled into a Minnesota county for the second time in 100 days. A library in Michigan had to ask its patrons to change their bank passwords. And on Thursday morning, the federal government fined four healthcare practices $1.165 million for skipping a single piece of paperwork. Let’s talk about it.
01 // THE_PHONE_CALL_THAT_EMPTIED_ADT
We don’t know the name of the ADT employee who picked up that call. We don’t know if they were on day three or year fifteen. We know the call worked. We know that whoever was on the other end walked them through giving up their Okta single sign-on credentials, the same credentials that unlock every cloud system at one of the biggest home security companies in America. And we know that minutes later, somebody who was not an ADT employee was logged into ADT’s Salesforce instance, vacuuming up customer records.
Eleven gigabytes of them.
ADT detected the breach on April 20. They sat on it for four days. On April 24 the ransomware crew known as ShinyHunters posted ADT to their leak site with a deadline. The note said this was a final warning before “several annoying digital problems” came ADT’s way. ADT did not pay. On April 27 ShinyHunters dumped the archive online. Have I Been Pwned ingested it the same day and confirmed 5.5 million unique email addresses, names, phone numbers, addresses, and for some unlucky percentage, dates of birth and the last four of their Social Security numbers.
ADT’s official statement leaned hard on what the attackers didn’t get. No payment information. No security system access. The home alarm panel on your wall is fine. They want you to know the home alarm panel on your wall is fine.
Here’s what they’re not putting in the press release. ShinyHunters has now run this exact playbook against M&S, Co-op, Cisco, Google, Allianz Life, Wynn Resorts, Harvard, McGraw-Hill, Workday, and as of last week, Medtronic. There’s no zero-day. There’s no clever malware. There’s a guy on a phone, and there’s an employee who picks up.
“ShinyHunters didn’t breach these companies through complex zero-days. They manipulated the human layer to walk through the front door of their Salesforce environments.”
— ZOE MURATA, SILENT PUSH RESEARCHER
Now let’s bring this home. Your front desk has a Sarah. So does every dental practice in Johnston County. So does every law firm in Raleigh. Your Sarah has the same single sign-on you have, because that’s how cloud apps work in 2026. The hire who started Tuesday and the founding partner have identical access to the same systems, separated by nothing but a six-character password and whatever multi-factor app the IT guy set up three years ago.
The home security company couldn’t keep itself secure. Read that sentence twice. Then think about what your front desk knows about phishing.
$ tell_your_team
Nobody from IT, no vendor, and nobody from any company you’ve ever heard of will ever call your office and ask anyone for their password. Not over the phone. Not in a Teams chat. Not by text. If somebody calls saying they’re IT and they need credentials to “fix” something, your staff hangs up and calls IT directly.
$ enable_phishing_resistant_mfa
SMS codes are dead. App-based codes are getting walked around. Hardware keys (YubiKey) or platform passkeys are what stops this attack. If your team is still on text-message MFA in 2026, you’re using 2018 security on a 2026 problem.
02 // PHARMACY_COUNTER_GOES_DARK_IN_MAUSTON
Tuesday morning, April 22. Somebody in Necedah, Wisconsin walks up to the pharmacy counter at the Mile Bluff outreach clinic to pick up a prescription. The pharmacist looks at them with the look you give when you’re about to deliver bad news to a regular customer. The system is down. The pharmacy at this location can’t fill anything today. If they need that prescription, they need to drive to the main hospital in Mauston.
Necedah to Mauston is twenty miles. Elroy to Mauston is twenty-five. New Lisbon is closer, but for somebody on a fixed income who timed their week around a refill, twenty miles is a different kind of distance.
Mile Bluff Medical Center is a 40-bed acute-care hospital serving Juneau County, about 50,000 people in central Wisconsin. The kind of place where the same family has been taking their kids for forty years. That morning, the IT staff confirmed what nobody at a small hospital ever wants to confirm. They had a security event involving data encryption. The phones were unreliable. The computers were down. Clinical staff went to paper.
Going to paper sounds like a workaround. It is. It also means somebody in the ER is writing down a patient’s medication list with a Bic pen on a clipboard, while the patient tries to remember exactly what dosage they were on. It means a nurse is calling another nurse on a personal cell phone because the desk phones aren’t routing right. It means every workflow that used to take thirty seconds takes ten minutes, and every minute matters when you have one nurse covering three rooms.
CEO Dara Bartels put out a statement saying the team was working to fully restore systems and that they’d share more once they understood what data, if anything, was touched. As of this writing nobody has claimed it publicly. No ransomware group has posted Mile Bluff to a leak site. That doesn’t mean the data is safe. It means the negotiation is still happening behind the scenes, or the attackers are still going through what they took.
Here’s the part nobody in healthcare wants to admit. The “we’re too small to be a target” defense died years ago. Ransomware crews specifically prefer small rural hospitals because they have less IT staff, fewer security tools, and less ability to absorb downtime. A 40-bed hospital with one IT director and an outsourced MSP is not flying under the radar. It’s the sweet spot.
If you run a dental practice or a medical clinic and you don’t have a written downtime procedure that your front desk has actually practiced, you don’t have a downtime procedure. You have a hope.
$ write_a_real_downtime_plan
Today. Print one page. Where do paper charts live? Who calls who? How does the front desk look up insurance without the EHR? What pharmacies do you fall back to? Tape a copy at every workstation. Run a one-hour drill next month where you actually unplug the network and see what breaks.
$ verify_your_backups
A backup that isn’t tested is a Schrödinger’s backup. It’s both there and not there until you try to restore. Most ransomware victims find out their backups don’t work the day they need them. Run a real restore test this quarter.
03 // TWICE_IN_100_DAYS_THE_NATIONAL_GUARD_ROLLS_IN
Winona County sits on the Mississippi River in southeast Minnesota. Population fifty thousand. The county building is old and brick and looks exactly like the kind of county building that would have a hand-lettered sign on the door telling you which window to go to for vehicle tabs. On Monday morning, April 6, somebody at that building tried to log in and couldn’t. By lunchtime they knew it was ransomware. By Tuesday morning, the governor of Minnesota had signed an executive order activating the National Guard’s Cyber Protection Team.
This was the second ransomware attack on Winona County in 100 days.
The first one hit in January and took 30 days to fully clean up. They thought they were done. They thought they’d locked the doors. Different threat actor this time, different entry point, same outcome. DMV services offline. Birth and death certificates offline. Property records offline. If you needed a driver’s license renewed in Winona County in mid-April, you got in your car and drove to the next county.
County workers went to paper and pen. For most of two weeks. The 911 dispatch never went down (the county was very public about that, and rightly so). Fire and ambulance never went down. But the unglamorous machinery of small-town government, the part that issues permits and certifies marriages and tracks who owns what acre of farmland, that all stopped.
“We train and plan for situations like this, and those plans are working. Even though it created a disruption, while technology is a major part of how we operate, it is not the only way we operate.”
— BEN KLINGER, WINONA COUNTY EMERGENCY MGMT
That quote right there is the whole story. Winona County had a plan. The plan worked. Not perfectly. They still got hit, twice. But they kept their courthouse running on legal pads while the National Guard tripled the size of their incident response team. They restored systems on April 24. They never disclosed whether they paid a ransom. The criminal investigation is still ongoing.
Two attacks in 100 days is the new baseline for county government, school districts, and small municipal utilities. There aren’t enough IT people in rural America to defend every clerk’s office in every town hall. The threat actors know it. They run automated scans across the entire internet looking for one unpatched VPN appliance, one exposed remote desktop port, one leaked credential, and they walk in.
If you’re on a town council, a school board, or a county commission and you’re still treating cybersecurity as a line item that competes with paving roads, you’ve already lost the next attack. You just don’t know it yet.
$ apply_for_SLCGP_grant
The State and Local Cybersecurity Grant Program exists for exactly this. If you’re on a county commission, town council, or school board, your state has a coordinator. Email them. The money is sitting there waiting for somebody to ask for it.
$ get_offline_backups
If your backups live on the same network as your production systems, they’ll get encrypted in the same attack. Immutable, air-gapped backups are the only thing that turns a 30-day ransomware crisis into a 3-day inconvenience.
04 // THE_LIBRARY_IS_ASKING_YOU_TO_CHANGE_YOUR_BANK_PASSWORD
Friday morning, April 24. A mom in Grand Rapids loads two kids in the minivan to go to the library, because Friday morning at the library is what they do. She pulls into the parking lot and the lights are off. There’s a sign on the door. The Kent District Library system, all 22 branches across Kent County, is closed.
Closed Friday. Closed Saturday. Closed Sunday. Closed Monday morning. A weekend gone for kids who had homework due, parents who needed to print tax forms, immigrants and refugees who use library computers to file their paperwork because they don’t have a computer at home, retirees who came to read the paper.
On Monday afternoon, KDL emailed every patron in the system. The email used the word ransomware. The email said the library had been hit, that the team had brought in outside investigators, and that they were working to understand what data, if any, had been touched. Standard breach notification language. Then the email said something else. It told patrons that if they had ever reused their KDL account password anywhere else, they should go change those passwords now. Especially their bank.
A library is asking you to change your bank password.
That sentence is the most honest thing any breach victim has said this month. They didn’t dance around it. They didn’t say “out of an abundance of caution we recommend reviewing your account hygiene.” They said: if your library password is also your Chase password, your Chase password is now in somebody’s database in a country we can’t extradite from.
Four branches reopened at noon on Monday. Cascade. Kentwood. Plainfield. Wyoming. The other 18 stayed dark. Even at the open branches, the public computers were unavailable. The printers were unavailable. The gaming labs were unavailable. The Kristin Hannah author event got bumped to May. The librarians are checking books out by hand on paper slips, like 1987 with better posture.
Across town, Cherry Health, the largest federally qualified community health center in Michigan, was simultaneously dealing with what they were calling an “organizationwide technology issue” affecting their phones. They were careful not to call it a cyberattack. The local TV stations were less careful.
Two community-serving institutions in the same metro, on the same weekend, both telling people their systems were down. The kids couldn’t print their book reports. The patients couldn’t reach their doctors. Whoever did this didn’t care about either.
$ stop_reusing_passwords
If you remember every password you use, you’re using too few of them. Get a password manager. Bitwarden, 1Password, Apple Passwords, doesn’t matter, just pick one. Every account gets its own random password. Every single one. The library breach doesn’t touch your bank if your bank password is unique.
$ check_haveibeenpwned.com
Type in your email address. The site will tell you every breach you’ve been in. If your address shows up on the new ADT dump, the Medtronic dump, or any of the others from this year, change those passwords today. While you’re drinking your coffee.
05 // $1.165_MILLION_ON_A_THURSDAY_MORNING
Thursday, April 24. Somewhere in Washington D.C., a press release goes live on the HHS website. Then another. Then a third. Then a fourth. The Office for Civil Rights, the federal agency that enforces HIPAA, just announced four ransomware-related settlements at the same time. Total fines: $1.165 million. Combined patient data exposed across the four cases: more than 427,000 people.
Every single one of those four settlements came down to the same thing: the practice never did a real HIPAA risk analysis before they got hit. Not paperwork, not an MSP checklist, not a vendor’s compliance dashboard with green checkmarks on it. An actual document, signed by leadership, that says here’s what data we have, here’s where it lives, here’s what could go wrong, and here’s what we’re doing about each of those things.
Assured Imaging
PYSA ransomware, ~245,000 patients exposed
Axia Women’s Health
Ransomware breach, regional women’s health group
Star Group L.P.
Self-funded employer health plan, ransomware
Consociate Health
Third-party benefits administrator, ransomware
Pay attention to that third one. Star Group is a self-funded employer health plan, which means it’s the company itself acting as the insurance, not Aetna or Blue Cross. OCR went after the employer plan as the covered entity. Not the carrier, the employer. Every law firm, every dental DSO, every regional medical practice that runs a self-funded plan to save money on benefits just got told they’re personally on the hook for the next ransomware attack.
And pay attention to the fourth one. Consociate is the third-party administrator, the vendor that processes claims for somebody else’s plan. They got fined too. The covered entity gets fined. The business associate gets fined. Everybody in the chain gets fined. The MSP that’s supposed to be running your security gets fined.
OCR Director Paula Stannard put it in the press release in the most boring possible language: hacking and ransomware are the most frequent type of large breach, and proactively implementing the Security Rule before a breach is the law and your best chance to mitigate harm. Boring language. Not a boring message. The message is that the federal government is going to keep finding the practices that didn’t do a risk analysis, and the federal government is going to keep fining them.
A real risk analysis costs less than the smallest fine on that list. By a lot.
$ pull_your_last_risk_analysis
If you can’t find it in five minutes, it doesn’t exist. If it does exist and it’s older than 12 months, OCR considers it stale. The risk analysis is supposed to be a living document that gets updated when your environment changes. New EHR vendor? New office location? New cloud service? Update it.
$ ask_your_MSP_for_proof
A green dashboard is not proof. Ask for the actual document. Ask who signed it. Ask when it was last reviewed. If they hedge, you have a vendor problem. CFS clients get an annual risk analysis as part of the engagement, no upcharge. If you’re not getting that from whoever’s supposedly handling your compliance, ask why.
// CLOSING_THOUGHTS
Every story this week comes back to the same thing. ADT got walked through giving up credentials by somebody on a phone. Mile Bluff and Winona County and Kent District Library got owned because somewhere in their environment, something was exposed that shouldn’t have been, and nobody caught it before the bad guys did. The four practices OCR fined got hit because they hadn’t even sat down to write the document that would have told them where their weak spots were.
The pattern is people. Every breach this week is a story about a person making a decision under pressure with bad information. The vishing call lands when somebody’s in the middle of three other things. The Okta credentials get typed when the voice on the phone sounds urgent and helpful. The risk analysis never gets done because the practice manager has eight other things on her plate and nobody at the top of the org chart made it a priority.
You can’t buy your way out of this with a firewall. The expensive firewall doesn’t stop the phone call. You can’t outsource your way out of it either, because the MSP doesn’t sit at your front desk. What you can do is make sure the people on your team know the rules of the road, and make sure the systems they touch every day are configured well enough that one bad click doesn’t cost you the company.
That’s it. That’s the whole game. See you next week.
Austin Eatman
Co-Founder // CyberFortify Solutions
FORTIFIED_WEEKLY
This briefing was Issue #005.
Get the next one delivered before it goes public.
← BACK TO ALL BRIEFINGS