Qilin ransomware operators posted Doctor.com to their leak site on March 29, 2026, claiming theft of 205GB across 104,392 files from the healthcare patient experience platform. The listing includes 1,600 photos and marks the latest in Qilin’s aggressive 2026 healthcare targeting campaign that has hit dozens of medical organizations in recent months.
Doctor.com, a Press Ganey subsidiary, provides digital patient engagement tools including online scheduling, reputation management, and provider directory services to healthcare organizations nationwide. The platform aggregates patient data, appointment information, and medical practice analytics, creating significant exposure risk if the breach claims prove legitimate.
Platform Scope
Doctor.com serves as a central hub for healthcare organizations managing their digital presence, handling everything from online appointment booking to review aggregation and patient communication. The stolen data volume suggests access to backend systems containing patient appointment records, provider information, communication logs, and potentially PHI from integrated scheduling workflows.
Press Ganey acquired Doctor.com specifically to build “the largest healthcare consumerism platform in the industry,” integrating patient satisfaction data with digital engagement tools. This creates cascading risk—a breach could expose not just individual practice data but aggregated intelligence across multiple healthcare organizations using the platform.
Qilin Healthcare Campaign
This attack follows Qilin’s documented pattern of healthcare targeting including Aroostook Mental Health Services, Covenant Health, and numerous hospital systems in early 2026. The group has posted 1,000+ victims since emergence, with healthcare representing roughly 45% of confirmed attacks. Their double extortion model combines operational disruption with data leak threats to pressure ransom payment.
Company Response
Neither Doctor.com nor parent company Press Ganey has issued a public statement regarding the alleged breach. Healthcare organizations using the platform should monitor for unauthorized access attempts and prepare breach notification procedures if patient data exposure is confirmed. The lack of immediate disclosure creates uncertainty for potentially affected practices and patients.
