Back to Blog
high severity April 17, 2026 · scope unconfirmed

Gastroenterology & Hepatology Listed by LeakBazaar Ransomware Group

Full database for sale — 167,303 patients, 124,761 SSN, 49,798 with sensitive diagnoses: - 167,303 patients — 124,761 with SSN, 166,402 (99%) with address, 164,296 (98%) with phone, 85,318 (51%) with email - 1,093,863 diagnoses (ICD-10), 1,547,142 medications, 186,246 pathology specimens with narrative reports - Sensitive (dx + meds): 49,798 patients — 44,861 with SSN. Mental health: 43,902 | Substance/Alcohol: 5,111 | STIs: 2,779 | Cancer: 2,708 | Hepatitis C: 1,906 - Includes notable individuals (politicians, business people, public figures)

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed April 17, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On April 17, 2026, the ransomware group LeakBazaar listed a full database from a gastroenterology and hepatology practice containing records for 167,303 patients, including 124,761 Social Security numbers and sensitive medical diagnoses for nearly 50,000 people.

Confirmed Facts from Reporting

Public reporting indicates the attacker exfiltrated internal files during a ransomware incident and has now placed the entire dataset for sale on its leak site. The exposed information covers 167,303 patients, of whom 124,761 have SSNs, 166,402 (99%) have addresses, 164,296 (98%) have phone numbers, and 85,318 (51%) have email addresses.

The database also includes 1,093,863 diagnoses coded in ICD-10, 1,547,142 medication records, and 186,246 pathology specimens accompanied by narrative reports. Among these, 49,798 patients44,861 of them with SSNs—carry diagnoses or medications flagged as sensitive. The breakdown of sensitive cases includes mental health conditions for 43,902 patients, substance or alcohol issues for 5,111, STIs for 2,779, cancer for 2,708, and hepatitis C for 1,906. Available reporting notes that the records contain information on notable individuals including politicians, business leaders, and other public figures.

Why This Matters for You and Your Family

When a medical provider loses control of this volume of personal and health data, the risk extends far beyond the clinic. Your name, address, phone number, email, SSN, and exact medical history can be purchased in one transaction. That combination allows identity thieves to open accounts, file fraudulent tax returns, or impersonate you with insurers. For families, the exposure can affect every member listed in a shared household record.

Medical details add another layer of harm. Employers, landlords, or even acquaintances who obtain the data could learn about mental health treatment, substance use disorders, cancer diagnoses, or infectious diseases. This information cannot be changed like a password. Once it circulates, you and your family live with the permanent possibility that someone will use it against you.

The Doxxing and Identity-Chain Implications

Credential leaks of this scale rarely stop at the initial breach. Attackers and downstream buyers routinely link the exposed emails, phones, and addresses to usernames on social media, gaming platforms, and shopping sites. A single match can reveal your children’s gaming accounts, family photos, or home address within hours. Public reporting describes these chains as “doxxing pipelines” that turn one records leak into long-term harassment or targeted scams.

Because the dataset includes both adult and dependent records, children’s information is also at risk. Gaming handles tied to a parent’s email or phone can be located quickly, exposing younger family members to account takeovers or real-world contact. The same identity chain that links your medical file to your social profiles can link your child’s gaming activity back to your physical doorstep.

LeakBazaar’s Publicly Known Track Record

Public reporting attributes LeakBazaar with emerging in late 2024 as a ransomware operation that emphasizes rapid data publication when victims refuse payment. The group has listed healthcare providers, municipal governments, and private corporations in prior incidents. Its typical playbook involves initial access through phishing or exploited remote desktop services, followed by exfiltration of sensitive databases, then dual extortion: demanding ransom to prevent publication and offering the data for sale on its dedicated leak site if the deadline passes. Exact prior victim counts remain under active investigation, but available reporting consistently places LeakBazaar among mid-tier ransomware actors focused on volume and speed rather than prolonged negotiation.

What to do

  • Run a DoxxScan to map every link between your emails, phones, addresses, and online handles so you can see exactly what chains exist right now.
  • Rotate the password used at the gastroenterology practice anywhere it is reused, and switch on 2FA through an authenticator app rather than text messages.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next leak that touches your family is caught in hours, not months.
  • Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts that often chain back to the same contact details.
  • Let DoxxScan remediation specialists handle takedown requests across data brokers and exposed records while you focus on securing your own accounts.

The most effective defense is early visibility and rapid action before criminals complete the identity chain. Start your DoxxScan trial today and let its continuous monitoring, AI-powered identity-chain mapping, and hands-on remediation specialists work for you and your family—including protection for children’s gaming accounts that credential leaks like this one so easily expose. Source: LeakBazaar leak site (via ransomware.live)

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.