Cyber Incident Victim: Aroostook Mental Health Center
Date:
Mar 2026
Location:
United States of America
Summary
The Aroostook Mental HealthCenter suffered a ransomware attack attributed to a Russian‑based cyber crime group that added the organization to its dark‑web leak site. The agency reported a network disruption and enlisted cyber incident specialists to investigate, noting that the investigation remains ongoing and it is unclear whether any data were exfiltrated. The ransomware group operates as a ransomware‑as‑a‑service offering and has been linked to numerous other incidents, including a prior attack on a UK pathology provider that disrupted services and resulted in a fatality. Federal authorities have highlighted rising ransomware losses, underscoring the broader threat landscape.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On an unspecifieddate in March 2026, Aroostook Mental Health Center (AMHC) experienced a network disruption that was later identified as a ransomware attack. The ransomware group Qilin added the Presque Isle‑based organization to its dark web data leak site on a Tuesday, as documented by screenshots and reports from multiple ransomware‑tracking websites. In a statement to the Bangor Daily News on the following Wednesday, AMHC confirmed that it had recently experienced a network disruption and said it had engaged cyber incident specialists to assist with the investigation. Clare Hickey, a spokesperson for the nonprofit, noted that the investigation remained ongoing and that the appearance of the organization’s name on the leak site resulted from its decision not to negotiate with the cyber criminals responsible for the disruption.
AMHC is described as the largest behavioral healthcare provider serving a broad rural region of Maine, covering Aroostook, Hancock and Washington counties, with more than 350 employees and over 5,500 clients across 27 service locations. Qilin operates as a ransomware‑as‑a‑service operation that began in 2022 and is assessed by a 2024 U.S. Department of Health and Human Services threat profile as likely originating from Russia, despite its name being derived from a Chinese mythological creature. The group claimed responsibility for more than 700 attacks in 2025 by late October and had previously gained notoriety for a June 2024 ransomware incident against a UK pathology provider that disrupted over 10,000 appointments and was linked to a fatality. The FBI’s 2024 Internet Crime Report recorded $16.6 billion in ransomware‑related losses, a 33 percent increase from the prior year.
In response to the incident, AMHC has partnered with external cyber incident specialists to investigate the breach and has stated that it will update relevant parties as more information about the scope and nature of the attack becomes available. The organization emphasized that it will take all steps necessary and legally required to address the situation, while declining to provide further details about the timing of the attack or whether any data was exfiltrated. Clare Hickey reiterated that the investigation is ongoing and that the organization’s public statement reflects its stance of not engaging with the perpetrators behind the network disruption.