A police database in Oklahoma. A clinic letter that took a year to mail. A school wire that left town and never came back. This week, the story was timing — whose worked, and whose didn't.
Last week we wrote about a phone call that emptied ADT, a pharmacy counter that went dark in Wisconsin, and a Minnesota county that had to call the National Guard. Five stories. One pattern. Real people, real timelines.
This week the pattern shifts. Every story you’re about to read happened on a clock. Some of those clocks ran fast. One ran a full year too slow. One was supposed to ring at midnight and didn’t. One ticked while a wire transfer crossed state lines and never came back.
If you run a dental office, a law firm, a clinic, or a town hall, the question after you finish reading isn’t whether you’re going to get hit. It’s whether your clock is set right.
01 // THE_CLOCK_HIT_12:05_AND_THE_THREAT_ACTOR_WENT_TO_WORK
Ardmore is a town of about 25,000 people in southern Oklahoma. Friday nights belong to high school football. Sunday mornings belong to the church bells. And on a Tuesday evening in early April, somewhere inside city offices, an employee opened an email and clicked a link.
Nothing happened. Not yet. The screen looked normal. The employee finished their shift, locked their workstation, and went home.
The threat actor was patient. They waited for the building to empty. They waited past the lights going out. They waited until the IT staff was asleep at home. And at exactly 12:05 a.m., the encryption started.
“Basically put a kernel on a person’s computer. The bad guys, the threat actor, waited until 12:05 and then they went to work.”
— ROBERT NEWELL, ARDMORE CIO
By the time anyone noticed, the police department’s primary database was locked. Five years of records. Every name an officer had ever taken down. Accident victims. Crime victims. Witnesses. Suspects. Complainants. Anyone who had ever crossed paths with an Ardmore patrol car since 2021 was now sitting on a server somewhere on the other side of the world.
The ransom note arrived. $300,000. Pay it, or watch it leak.
Newell didn’t pay. Couldn’t, really. Paying meant losing access to the state criminal databases that Ardmore’s officers depend on every shift. So they let the deadline pass. The FBI and CISA flew in. The leak, as far as anyone knows, never came.
Here’s the part that should keep you up at night. Ardmore’s water billing didn’t go down. Their financial systems didn’t go down. Their dispatch and emergency services didn’t go down. The reason every other system kept running is because somebody, years ago, made the decision to put the police database on its own network. One subnet, one fence, one job. When the encryption started at 12:05, it ran into a wall.
That single boring decision is the only reason the lights stayed on in Ardmore.
Now think about your office. Your dental practice. Your law firm. Your front desk. Everything is on one flat network, isn’t it? Same VLAN as the receptionist’s computer. Same VLAN as the smart TV in the lobby. Same VLAN as the thermostat. When somebody clicks the wrong link at 5:47 p.m., nothing stops the encryption from rolling end to end at 12:05 a.m. There’s no wall. There’s no Robert Newell. There’s just you, in the morning, staring at a ransom note on every screen you own.
02 // THE_LETTER_TOOK_A_YEAR_TO_MAIL
Late last week, somewhere in McBee, South Carolina, a woman walked to her mailbox and pulled out an envelope. Sandhills Medical Foundation. Her clinic. The one her family has been using for years. The one that keeps her kid’s vaccine records and her husband’s blood pressure history.
She opened the letter. The first thing she saw was the apology. The second thing she saw was the date the breach actually happened.
May 8, 2025. Almost a full year ago.
Sandhills is what’s called a Federally Qualified Health Center. They serve low-income families across four counties in South Carolina. Primary care. Behavioral health. Vaccines. The kind of clinic where you know the receptionist’s first name and the doctor remembers your daughter is allergic to amoxicillin. They’re the safety net.
On May 8 of last year, a ransomware crew called INC Ransom locked down their network. By June, the gang had Sandhills’ name posted on their public leak site as a warning to other victims. The data was already out. Anyone with a Tor browser and ten seconds could find it.
The forensic review didn’t finish until April 15, 2026. The letters didn’t go out until two weeks ago. The patient holding the envelope this past weekend just learned that her name, her date of birth, her Social Security number, her driver’s license, her passport number, and her full medical history have been sitting on a criminal leak site for eleven months.
That’s just Sandhills. The same week, a Pennsylvania ophthalmology clinic called Laurel Eye sent its own letter. Names. Dates of birth. Driver’s licenses. Usernames and passwords. Full medical histories. Tens of thousands more people, same story, different state.
Last week we told you about $1.165 million in HIPAA fines that landed on four medical practices in a single morning. The federal message there was simple. Do your risk analysis or pay. The Sandhills story is the next chapter of that same lecture. Notify your patients on time, or pay even more.
If your dental office or your clinic got hit tonight, when does the letter actually leave your printer? Tomorrow? Next month? A year from now after a forensic firm bills you into the ground? Because the patient you’ve been treating for a decade is going to read that envelope. And the date at the top is going to tell them everything they need to know about how much you respected them.
03 // THE_WIRE_LEFT_TOWN_AND_NEVER_CAME_BACK
Pine Bluff School District in Arkansas had been working with the same construction vendor for months. Real project. Real invoices. Real email chain going back through dozens of replies. The kind of business relationship that feels like a handshake.
On December 17, 2025, an email landed in the right inbox at the right time. Same vendor. Same project. Same email thread everyone had been replying to. Different bank account. The new wiring instructions were polite, professional, signed by the right person.
The district wired $3,204,639.55.
A few days later, the Director of Finance picked up the phone to confirm the vendor got it. The vendor said they hadn’t requested anything. They hadn’t sent any new wiring instructions. They were still waiting on the original payment.
Federal investigators traced it back. A district employee’s email account had been compromised weeks earlier. The attackers had been sitting inside that mailbox, reading every reply, learning the vendor’s tone, learning the project codes, learning the dollar amounts. When the moment was right, they slid into a real email thread and posted fake wiring instructions in their own polished handwriting.
“This incident was not the result of an error, but rather a deliberate and highly coordinated cybercrime.”
— DR. JENNIFER BARBAREE, PINE BLUFF SUPERINTENDENT
The feds told them to stay quiet during the recovery. They got most of it back. New rules now: no email-only wiring instructions, dual authorization, the bank verifies before any wire moves.
Pine Bluff was lucky. Spotswood, New Jersey wasn’t.
Same kind of attack. Different town, different year. Hackers got into a school employee’s email and impersonated the Spotswood Board of Education. They tricked the borough into wiring local school tax money to bank accounts that didn’t belong to the school. $4.8 million. They got $1.7 million back. They never found the rest.
Last week the borough announced they’re issuing short-term debt to cover the hole. Taxpayers in Spotswood are going to pay interest, for years, on a loan that started with one stolen email password. S&P warned that the borough’s reserves could weaken further. Real money, gone, because somebody clicked something.
Every dental office, every law firm, every small business pays vendors. Most of you confirm the wire by replying to the same email thread the instructions came in on. That’s the trap. If you change anything this week, change this. Pick up the phone. Call the number you already have on file. Not the one in the email. Verify every wiring change with a human voice on a number you already trust. That single phone call is the only thing standing between you and a Pine Bluff morning.
04 // THEY_TOOK_144_GIGS_FROM_A_LAW_FIRM_AND_NOBODY_NOTICED
Rodenburg Law Firm sits in Fargo, North Dakota. They handle debt recovery. Collection accounts, lender lawsuits, auto and consumer finance, hospital bills gone bad. Their clients are scattered across five Plains states. Their files are full of the kind of information attackers love. Names. Social Security numbers. Dates of birth. Payment cards. Medical conditions. Driver’s licenses.
On August 26, 2025, somebody at Rodenburg noticed something off on the network. Logs that didn’t look right. An account doing things it shouldn’t. They called in incident response. The team found a ransomware group called Akira sitting comfortably inside their environment.
Akira had been there for a while. Long enough to walk out the front door with 144 gigabytes of files. On December 10, the gang posted Rodenburg on their public leak site, like a hunter mounting a trophy. The forensic review wrapped in March. Notification letters started going out a week ago.
Here’s the part that should make every law firm partner in America put down their coffee. Earlier this year, the INC Ransom gang claimed ten different law firms in a 48-hour window. Ten firms. Two days. Researchers think they all share a common technology vendor, some kind of practice management or document storage tool, and INC walked through that vendor like a master key.
BakerHostetler dropped its annual data security report in this same window. Law firm incidents almost doubled year over year. The average opening ransom demand jumped to $4.2 million. Up 70 percent. The legal industry is now the priority target, and mid-sized regional firms are the bullseye. Big enough to have insurance. Small enough to lack a real security team.
If you’re a solo or small firm reading this, the question is not whether the gang already has your name on a list. It’s whether you’d notice them once they were inside. Rodenburg got lucky. Somebody saw a log they didn’t like. Most firms don’t have anybody watching the logs. Nobody is going to call you and tell you politely that Akira is reading your client files. Your first warning is going to be a leak site, on a Tuesday, six months later, with your firm’s name in 24-point bold.
05 // HOMETOWN_DOCKET
Last Friday, in a federal courtroom in Charlotte, a judge picked up a settlement filing. The case caption read RFK Racing. As in Roush Fenway Keselowski. As in the NASCAR team headquartered an hour up the road, with cars that turn left around our backyard every Sunday in May.
The filing was the team’s request for final approval of a class action settlement. The class is 13,632 current and former employees. The reason is a cyberattack that hit the team last May. The data that walked out the door was names paired with Social Security numbers. The bread and butter combo for credit fraud, identity theft, and the kind of synthetic identity scams that ruin people for years.
The fairness hearing is set for June 15. A North Carolina race team is about to write checks to mechanics, fabricators, hospitality staff, and trailer drivers because somebody got into the network and grabbed an HR file.
Same week, our state Attorney General Jeff Jackson and Labor Commissioner Luke Farley sent out a joint warning. Employment scams are surging across North Carolina. Fake recruiters running fake interviews on real platforms, taking real money or real Social Security numbers off real job seekers who thought they were two steps from a paycheck. Jackson called it cruel because it targets people at vulnerable moments. He’s right. Anyone who has ever needed a job knows the feeling of finally getting that interview email. That’s the moment the scammer is counting on.
Down on the coast, WECT in Wilmington published an investigation yesterday on the PowerSchool breach that affected somewhere around four million North Carolina students and teachers. The hacker, a 19-year-old named Matthew Lane, pleaded guilty almost a year ago. Texas already sued PowerSchool. North Carolina hasn’t. New Hanover County School Board member Josie Barnhart is publicly pressing the AG to do something. Fifteen months in, families are still waiting.
If you’re reading this from Benson, from Garner, from Smithfield, from anywhere along I-95 between Raleigh and Wilmington, this is the closest thing to a hometown report we run. The threat isn’t somewhere else. It’s at the racetrack, on the recruiter site, in your kid’s school portal. It’s right here.
// IMMEDIATE_ACTION
$ verify_wires --by_phone --not_email
Any wire transfer change request, no matter how legit it looks, gets verified with a phone call to the number you already have on file. Not the number in the email. The one in your records. Pine Bluff is the canary. Don’t be the next one.
$ patch cpanel --critical=now
A new cPanel and WHM authentication bypass is being exploited right now. Pre-auth, no user interaction, full server takeover. Around 70 million websites and 650,000 servers are exposed. If you have a website, email your hosting provider today and ask one question in writing: have you patched CVE-2026-41940. If they say “we’re working on it,” that’s the wrong answer.
$ ask_msp --about_hipaa_2026
The HIPAA Security Rule overhaul is expected to land this month. First major rewrite in 20+ years. MFA mandatory. Encryption mandatory. Asset inventory mandatory. Vulnerability scans every six months. Pen tests every year. Network segmentation required. Access revoked within one hour of termination. Annual written verification from every business associate. If you’re a dental office, a clinic, or a behavioral health practice, ask your IT provider where you stand on every line of that list. The 180-day countdown starts the day it publishes.
// THE_NUMBERS_BEHIND_THIS_WEEK
Stories are stories until you put numbers under them. Then they get loud.
// THE_GOOD_GUYS_ALSO_PUNCHED_BACK
On April 30, two cybersecurity professionals were sentenced to four years in federal prison. Ryan Goldberg from Georgia and Kevin Martin from Texas. They had real cybersecurity training and used it to run BlackCat ransomware against American victims. They paid the BlackCat operators a 20 percent cut for access to the platform. One of their victims sent them $1.2 million in Bitcoin. They split it three ways and tried to launder it. The Justice Department said the part out loud that everyone in our industry needs to hear. They had the training to stop this kind of crime, and instead they used it to commit one. Four years each. Sometimes the system works.
Same week, the DOJ and the State Department coordinated a takedown of pig butchering scam compounds in Southeast Asia. 276 arrests. $700 million in cryptocurrency seized. Charges out of San Diego and DC, including against two people accused of running the Shunda compound in Burma, where trafficked workers were forced to scam Americans. One American victim alone lost over $3 million. The FBI’s Operation Level Up notified almost nine thousand victims, 77 percent of whom had no idea they were even being scammed. They saved roughly $562 million from leaving people’s accounts. They referred 93 victims to suicide intervention specialists.
For every story this week about a clock that ran out, somebody else’s clock got hit. That’s what this work looks like. Most of the time, you don’t get to see it happen.
Set your clock right.
See you next week.
Austin Eatman
Co-Founder // CyberFortify Solutions
FORTIFIED_WEEKLY
This briefing was Issue #006.
Get the next one delivered before it goes public.
← BACK TO ALL BRIEFINGS