Hale Makua Health Services falls victim to Qilin Ransomware

On Oct. 29, 2025, Hale Makua Health Services, a private, non-profit healthcare group based on Maui, Hawaii, reported a data breach to the U.S. Department of Health and Human Services. The incident was classified as a ransomware attack, with the Qilin ransomware group claiming responsibility.

The breach came to light after Qilin posted about the attack on their dark web portal on Sept. 25, 2025, stating they had obtained data from Hale Makua Health Services. The group also shared sample screenshots as proof of access. While the specific types of information exposed have not been detailed in the public notice, ransomware attacks on healthcare providers often involve both personally identifiable information (PII) and protected health information (PHI), such as names, addresses, dates of birth, medical records, and insurance details.

The HHS disclosure, currently shows a placeholder number of 500 individuals affected and will be updated after a full internal investigation is complete.

This incident is considered severe due to the nature of ransomware, which typically involves unauthorized access to internal systems, theft of sensitive data, and the threat of public exposure or sale of that data if ransom demands are not met.