Payload Ransomware Claims Theft of 110 GB from Royal Bahrain Hospital, Threatens Public Leak
What Happened — The Payload ransomware gang announced that it breached Royal Bahrain Hospital (RBH) and exfiltrated roughly 110 GB of patient and operational data. The attackers posted screenshots of compromised systems on their Tor leak site and warned they will publish the data if the ransom is not paid by March 23, 2026.
Why It Matters for TPRM —
- Healthcare data breaches can trigger severe regulatory penalties and damage patient trust.
- The incident highlights the risk of ransomware‑as‑a‑service actors targeting mid‑size providers in emerging markets.
- Third‑party risk programs must verify that health‑care vendors maintain robust backup, encryption, and incident‑response controls.
Who Is Affected — Healthcare providers, EHR/clinical‑system vendors, and any downstream partners that process RBH patient data (e.g., labs, insurers, regional health networks).
Recommended Actions — Review contractual security clauses with RBH and any associated service providers, request evidence of recent backups and ransomware hardening, and verify that breach‑notification procedures are in place.
Technical Notes — Payload employs ChaCha20 for file encryption and Curve25519 for key exchange, deletes shadow copies, and disables security tools. The attack appears to be a classic double‑extortion ransomware‑as‑a‑service operation. Source: SecurityAffairs