Back to Blog
high severity July 09, 2026 · scope unconfirmed

SF Smile Doctor Listed by CRPxO Ransomware Group

⚠ Were you caught in this breach?
Check your email against 15.4B+ leaked records in 15 seconds — free, no signup.
Scan my email — free → Instant · no account

Sector: Medical | Data leaked: 100.0 GB

Severity High
Disclosed July 09, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On July 9, 2026, the CRPxO ransomware group added San Francisco-based dental practice Sassan Kafayi DDC to its public leak site, confirming that attackers had exfiltrated 100 GB of internal files from the medical provider.

Confirmed Facts from Reporting

Public reporting indicates the incident began as a ransomware deployment that successfully encrypted systems and led to data theft. The group published proof of the breach on its onion site, listing the victim under the slug “sassan-kafayi-ddc.” Available reporting describes the exposed material as internal files totaling 100.0 GB. The exact number of patients and employees whose records were taken remains unknown, but any practice of this size typically maintains thousands of patient files containing names, addresses, dates of birth, Social Security numbers, insurance details, and clinical notes.

The listing appeared on the CRPxO leak site hosted at an onion address tracked by ransomware.live. No independent verification of the data sample has been published beyond the group’s own posting, which is standard for these incidents.

Why This Matters for You and Your Family

When a local medical provider loses control of patient records, the information can appear on dark-web marketplaces within days. That data is frequently combined with credentials stolen from other breaches to build complete profiles. If you or any member of your family has ever been a patient at Sassan Kafayi DDC or similar small practices, your personal and health details may already be circulating. Medical records are especially damaging because they contain not only contact information but also diagnoses, treatments, and insurance IDs that criminals use for identity theft, fraudulent claims, or targeted scams.

Even if you never visit that specific dentist, the incident illustrates a broader pattern: small and mid-size healthcare offices remain prime targets. One successful breach can expose thousands of ordinary families who assumed their dentist’s office was too unimportant to attract sophisticated attackers.

The Doxxing and Identity-Chain Risk

Stolen medical files rarely stay isolated. Attackers link patient names and addresses to email accounts, phone numbers, and usernames found in other leaks. This creates an identity chain that can lead to doxxing, account takeovers, and harassment. Credential leaks like this one often cascade into gaming accounts belonging to you or your children, because kids frequently reuse simplified passwords or email addresses tied to family medical records. Once an attacker controls a child’s Roblox, Fortnite, or Discord account, the breach chain can expose family photos, home addresses, and real-time location data shared in chat logs.

Identity-chain mapping has become a core tactic for extortionists who no longer need to demand ransom from the dentist; they can pressure individual patients directly.

CRPxO’s Publicly Known Track Record

Public reporting attributes CRPxO with emerging in late 2024 as a ransomware operation that combines double-extortion tactics with selective data leaks. The group has listed healthcare providers, professional services firms, and small manufacturers. Its typical playbook involves initial access through phishing or exploited remote desktop protocols, followed by exfiltration of sensitive folders before encryption. After deployment, CRPxO waits a short period and then posts samples or full datasets on its leak site if the victim does not pay. Extortion demands are usually directed at the organization, but the public posting of patient or customer data effectively pressures individuals as well. The group’s activities are tracked on multiple ransomware intelligence platforms that update victim lists in near real time.

What to do

  • Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity, then use the included no-subscription cleanup of data broker records tied to the breach.
  • Rotate any password you ever used at Sassan Kafayi DDC or similar providers anywhere it has been reused, and switch to 2FA through an authenticator app rather than SMS.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next exposure of your family’s information is caught in hours instead of months.
  • Cover the household with DoxxScan family coverage that extends to dependents and children’s gaming accounts, which frequently become targets when medical or address data chains to usernames.
  • Let remediation specialists handle takedown requests for any exposed personal documents or photos that surface on forums or broker sites.

The speed with which ransomware groups move stolen medical data shows that waiting for notifications is no longer enough. One practical step taken now can break the chain before criminals combine this dentist’s files with the next leak. DoxxScan by GalaxyWarden delivers that ongoing protection through continuous monitoring across 15.4B+ breach records and 100+ platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full family and household coverage that includes children’s gaming accounts.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.