TridentLocker Ransomware Exposes WTC Health Program Data Breach

Some data breaches expose credit card numbers. Some expose email addresses. This one exposed the medical records, Social Security numbers, and completed health program forms of people enrolled in the World Trade Center Health Program—a federal program created to care for the men and women who responded to the September 11 attacks, survived the toxic dust clouds, or lived and worked in the disaster zone.

Key Takeaways

1. A Ransomware Attack Exposed Deeply Sensitive WTC Health Program Data. On December 4, 2025, Managed Care Advisors/Sedgwick Government Solutions (MCA/SGS)—a federal contractor managing workers' compensation and managed care for U.S. government agencies—discovered that a corporate Secure File Transfer Protocol (SFTP) server had been compromised. The intrusion dated back to November 16, 2025, when an unauthorized third party accessed the server and encrypted files. The compromised server stored files from the previous Nationwide Provider Network contractor for the World Trade Center Health Program, a federally funded initiative providing no-cost medical monitoring and treatment for 9/11 responders and survivors.
2. The Data Exposed Is Extensive—and Uniquely Harmful. This was not a breach of email addresses and passwords. The exposed information includes first and last names, home addresses, Social Security numbers, dates of birth, medical record images, and completed WTC Health Program forms containing protected health information. For individuals enrolled in the WTC Health Program—many of them first responders, recovery workers, and survivors already dealing with chronic health conditions from toxic 9/11 exposures—this data represents the most intimate details of their medical histories and identities.
3. TridentLocker Claimed Responsibility and Leaked Data on the Dark Web. The ransomware group identifying itself as TridentLocker posted approximately 3.39 GB of the organization's data on a Tor-hosted dark web site on December 30, 2025. TridentLocker operates as a ransomware-as-a-service (RaaS) operation that emerged in late November 2025, using double-extortion tactics: encrypting systems and threatening to publish stolen data if ransom demands go unmet. The group has listed 12 victims since its emergence, spanning manufacturing, government, IT, and professional services across North America and Europe.
4. The Official Disclosure Came Months After the Breach. MCA/SGS disclosed the breach to the New Hampshire Attorney General on February 10, 2026—nearly three months after the initial unauthorized access on November 16, 2025. Notifications to affected individuals began on February 11, 2026. While the filing initially references approximately three New Hampshire residents, the nature of the data—WTC Health Program records from a nationwide provider network—signals that the actual scope of exposure extends well beyond a single state.
5. SFTP Infrastructure Remains a High-Value, Under-Secured Target. The breach exploited an SFTP server—file transfer infrastructure that, by design, aggregates sensitive data from multiple upstream providers and programs. SFTP servers used in healthcare and government contexts often store large volumes of PHI and PII in concentrated repositories, making them particularly attractive to ransomware operators. This incident underscores a persistent vulnerability in the way covered entities and business associates handle file transfer systems, especially when those systems support specialized healthcare programs with extraordinarily sensitive participant data.

That context matters. It changes the risk calculus entirely.

The WTC Health Program, administered by the CDC's National Institute for Occupational Safety and Health (NIOSH), provides medical monitoring and treatment for 9/11-related health conditions at no cost to eligible responders and survivors. Program participants include firefighters, police officers, paramedics, construction workers involved in recovery and cleanup, and residents who were exposed to the toxic contaminants released by the collapse of the World Trade Center towers. Many of these individuals have developed cancers, respiratory diseases, digestive disorders, and mental health conditions linked to their exposures. Their health records are not routine medical files. They are detailed documentation of occupational exposures, chronic illness progression, and ongoing treatment for conditions tied to one of the most significant events in American history.

When those records end up on a dark web leak site, the harm is not abstract.

What Happened: A Timeline

The sequence of events is straightforward, and that's part of the problem.

On November 16, 2025, a third party gained unauthorized access to a corporate SFTP server operated by Managed Care Advisors/Sedgwick Government Solutions. The server was used to store files associated with the Nationwide Provider Network for the WTC Health Program. The attacker encrypted files on the server—a hallmark of ransomware deployment.

MCA/SGS discovered the breach on December 4, 2025. The affected server was quarantined, all connections were disabled, and a secure backup was restored the following day, December 5. The company engaged Mandiant, a prominent incident response firm, to conduct forensic analysis and notified the FBI.

On December 30, 2025, TridentLocker posted approximately 3.39 GB of data from the organization on a Tor-hosted dark web leak site. The group had claimed responsibility for the attack, using the standard double-extortion playbook: encrypt systems, steal data, and threaten public release unless a ransom is paid.

Sedgwick confirmed the incident publicly in early January 2026, emphasizing that its government solutions subsidiary is segmented from broader Sedgwick operations and that no claims management servers were accessed. Formal breach notification to the New Hampshire Attorney General followed on February 10, 2026, with individual notifications beginning February 11.

Affected individuals are being offered 12 months of credit monitoring and identity theft protection through Kroll, and a dedicated call center has been established to field questions.

Why SFTP Servers Keep Getting Hit

If the Managed Care Advisors breach sounds familiar, that's because it follows a pattern that has been repeating across healthcare and government for years. File transfer infrastructure—SFTP servers, managed file transfer (MFT) platforms, and similar systems—keeps showing up as the point of compromise in major breaches.

The reason is not complicated. SFTP servers are designed to receive, store, and transmit files between organizations. In healthcare, those files often contain the densest concentrations of PHI and PII in the entire environment: claims data, eligibility records, medical images, program enrollment forms, Social Security numbers, and more. A single SFTP server can aggregate sensitive data from multiple upstream providers, programs, and agencies into one location.

For attackers, that makes SFTP infrastructure a one-stop shop. Compromising a single server can yield a massive volume of high-value data without the need to move laterally through an enterprise network or defeat multiple layers of endpoint security.

The defenses that should protect these systems are well understood: strong authentication (multi-factor, not just passwords), encryption of data at rest and in transit, robust access controls that limit who and what can reach the server, real-time monitoring and alerting for anomalous access patterns, and immutable audit logging that creates a forensic trail.

Zero-trust principles—verifying every access request, enforcing least privilege, and assuming compromise as a design principle—are particularly relevant for file transfer systems that aggregate sensitive data from multiple sources.

Yet time after time, breaches involving SFTP and MFT systems reveal gaps in one or more of these areas. Whether it's weak authentication, unmonitored access, missing encryption at rest, or a lack of anomaly detection, the pattern repeats because the fundamentals keep getting overlooked in systems that don't always receive the same security attention as high-profile clinical applications.

The Healthcare Ransomware Landscape Is Getting Worse, Not Better

The MCA/SGS breach did not happen in a vacuum. It arrived during the worst stretch of ransomware activity the healthcare sector has ever seen.

Healthcare-sector ransomware incidents reached their highest quarterly total of the year in the final three months of 2025, with 190 attacks recorded in Q4 alone, according to Health-ISAC's threat intelligence report. Total cyber incidents across all sectors climbed to 8,903 in 2025, representing a 55 percent increase over 2024. Health-specific incidents rose 21 percent year over year.

The numbers tell a grim story, but the tactics tell a worse one. An estimated 96 percent of ransomware incidents targeting healthcare now involve data exfiltration—the double-extortion model where attackers steal data before encrypting systems. Even if an organization can recover from encryption using backups, the stolen data gives attackers a second lever: Pay up, or we publish your patients' records.

This is exactly what happened with TridentLocker and MCA/SGS. The data was not just encrypted. It was stolen and posted to a dark web leak site. Backup restoration addressed the operational disruption, but it did nothing to address the fact that WTC Health Program participant data was already in the hands of a criminal organization.

The ransomware ecosystem itself has fragmented. Smaller, faster-moving groups and new ransomware-as-a-service platforms now dominate the landscape. TridentLocker is a case in point—the group emerged only in late November 2025 and had already claimed a dozen victims by early January 2026. The barriers to entry for ransomware operations continue to fall, and the healthcare sector, with its concentration of high-value PHI and its operational sensitivity to downtime, remains the most frequently targeted industry.

The Regulatory and Legal Exposure Is Significant

When a breach involves both PII and PHI—and when it touches a federally funded health program governed by HIPAA and the James Zadroga 9/11 Health and Compensation Act—the regulatory exposure extends well beyond a credit monitoring offer.

The HHS Office for Civil Rights (OCR), which enforces the HIPAA Security Rule, has been intensifying enforcement actions against covered entities and business associates that fail to implement fundamental security requirements. In the first five months of 2025 alone, OCR announced 10 settlements with healthcare organizations over data breaches, with fines reaching into the millions. A recurring theme in those enforcement actions: Organizations that never properly assessed their own security vulnerabilities in the first place.

For MCA/SGS, the questions regulators will ask are predictable. Was multi-factor authentication enforced on the compromised SFTP server? Was data at rest encrypted? Were access controls configured to restrict who could reach WTC Health Program files? Were there real-time monitoring and anomaly detection capabilities in place? Was there an immutable audit trail that can reconstruct exactly what data was accessed and when?

And beyond the regulatory inquiry, class-action litigation is already forming. Attorneys have begun investigating whether affected individuals can pursue claims for loss of privacy, out-of-pocket costs, and other damages resulting from the breach. For a population that already carries the burden of 9/11-related health conditions, the prospect of identity theft and medical fraud adds insult to injury in a very literal sense.

What Affected Individuals Should Do Right Now

If you received a breach notification from Managed Care Advisors/Sedgwick Government Solutions, or if you believe your information may have been exposed through the WTC Health Program's Nationwide Provider Network, there are concrete steps you should take immediately.

Enroll in the complimentary credit monitoring and identity restoration services being offered through Kroll. These services run for 12 months and can alert you to suspicious activity on your credit file.

Request your free credit reports from the three major bureaus—Equifax, Experian, and TransUnion—and review them carefully for any accounts, inquiries, or activity you don't recognize.

Consider placing a fraud alert or a security freeze on your credit files. A fraud alert notifies creditors that they should take extra steps to verify your identity before opening new accounts. A security freeze goes further, preventing new credit accounts from being opened in your name entirely until you lift the freeze.

Monitor your explanation of benefits (EOB) statements and any healthcare-related correspondence for signs of medical identity fraud. When PHI is exposed, there is a real risk that stolen information can be used to obtain medical services or prescription drugs in your name, which can corrupt your medical records and create complications in your own care.

If you have questions, MCA/SGS has established a dedicated call center to assist affected individuals.

What Organizations Managing Sensitive Healthcare Data Should Take Away

The Managed Care Advisors/Sedgwick breach is a case study in the specific risks facing organizations that manage file transfer infrastructure for specialized healthcare programs. Three priorities stand out.

Treat file transfer systems as high-value targets, because attackers already do. SFTP servers, MFT platforms, and similar systems that aggregate sensitive data from multiple sources require security controls that match their risk profile. That means multi-factor authentication, encryption at rest and in transit, granular role-based access controls, real-time anomaly detection, and immutable audit logging. These are not aspirational goals. They are baseline requirements for systems that store PHI and PII.

Apply zero-trust principles to every data pathway, not just the network perimeter. The shift to zero-trust architecture means verifying every access request, enforcing least-privilege access so that users and systems only reach the data they need for their specific function, and assuming that any component in the environment could be compromised. For file transfer systems in particular, this means controlling access at the folder and file level, restricting connections by IP and geography, and implementing time-limited access for temporary collaborators. Trust should never be implicit.

Build and test ransomware resilience before you need it. Encrypted, segmented backups are essential. Incident response plans need to account for double-extortion scenarios where data is stolen before encryption occurs. Forensic readiness—the ability to reconstruct exactly what was accessed, when, and by whom—is not optional when PHI is involved. And the response plan needs to be tested regularly, not left on a shelf until the day the SFTP server goes dark.

Why Legacy SFTP Is the Problem—and What Replaces It

Here's the uncomfortable truth buried in this breach: Traditional SFTP infrastructure was never designed for the threat environment it now operates in. Legacy SFTP deployments typically rely on manual scripting, scattered server instances, and bolt-on security tools that create gaps instead of closing them. Each server has its own configuration, its own access policies, its own logging format—if it has logging at all. When a ransomware group like TridentLocker hits one of those servers, the organization often can't even reconstruct what was taken, let alone prove to regulators that controls were in place before the compromise.

This is the architectural problem that made the MCA/SGS breach possible. Not a lack of awareness. A lack of consolidation.

Kiteworks was built to eliminate exactly this class of risk. Its approach to SFTP security starts at the infrastructure layer and works outward, replacing the fragmented legacy model with a unified platform that centralizes policies, administration, and audit logging across every file transfer channel.

The foundation is a hardened virtual appliance with a secure-by-default architecture and minimal attack surface. An embedded firewall and web application firewall protect the perimeter, while an assume-breach design philosophy safeguards against advanced persistent threats. This isn't theoretical resilience—when the Log4Shell vulnerability hit, Kiteworks' isolation architecture reduced the exposure from a critical CVSS 10 to a CVSS 4. The platform is continuously hardened through OWASP best practices, offensive and defensive security strategies, third-party penetration testing, and bounty programs.

Encryption goes beyond what most SFTP solutions offer. Kiteworks provides double encryption for data at rest, TLS 1.3 for data in transit, customer-owned keys (BYOK) for complete control over cryptographic material, and FIPS 140-3 validated encryption options that meet federal requirements. In the MCA/SGS breach, the compromised SFTP server stored WTC Health Program data. If that data had been protected by double encryption with customer-managed keys, exfiltration alone would not have given TridentLocker usable files.

On the content security side, Kiteworks deploys zero-trust data exchange that treats every file as a potential threat. Content Disarm and Reconstruction (CDR) eliminates embedded threats by reconstructing all files before delivery. Every file is scanned—no size-based bypass limits—using multi-engine antivirus analysis with real-time threat intelligence and behavioral analytics for zero-day detection. This is the layer that catches weaponized files before they reach the server, and flags anomalous activity if an attacker attempts to use the file transfer channel for exfiltration.

Data loss prevention is unified across SFTP, email, file sharing, and APIs under a single policy engine. Kiteworks evaluates content in real time based on what's in the file, who's sending it, and where it's going—then enforces automated remediation workflows including quarantine, encryption, and notifications. Integration with enterprise DLP platforms like Microsoft Purview and Forcepoint means organizations don't have to choose between their existing DLP investment and their file transfer security.

The audit and compliance layer is where Kiteworks addresses one of the most damaging aspects of breaches like MCA/SGS: the inability to answer regulators' questions after the fact. Every action across every channel feeds into a unified audit log with SIEM integration for centralized security monitoring. Built-in policy automation eliminates the manual scripting vulnerabilities that plague legacy SFTP deployments. Intrusion detection systems provide continuous monitoring. And the entire platform supports FedRAMP High-ready and IRAP authorization for organizations operating under government-grade security requirements.

The key differentiator is consolidation. Legacy SFTP scatters sensitive data across multiple servers, each with its own security posture, its own gaps, and its own blind spots. Kiteworks replaces that fragmentation with a single-tenant Private Data Network architecture, centralized least-privilege access controls, LDAP and SSO integration for authentication, and one policy engine governing every file transfer in the organization. Fewer servers. Fewer gaps. Fewer places for a TridentLocker to hide.

The MCA/SGS breach also reinforces a broader lesson that the healthcare sector has been learning the hard way: Business associates and subcontractors that handle PHI are an extension of the covered entity's security posture. The WTC Health Program participants whose data was exposed did not choose MCA/SGS as their data custodian. They enrolled in a federal health program. The obligation to protect their information flows through every contractor, subcontractor, and system in the chain—and the infrastructure those contractors use to store and transfer data is where that obligation either holds or breaks.