One phone call. Five and a half million records.

The voice on the other end of the phone said it was IT.

We don’t know the name of the ADT employee who picked up that call. We don’t know if they were on day three or year fifteen. We know the call worked. We know that whoever was on the other end walked them through giving up their Okta single sign-on credentials, the same credentials that unlock every cloud system at one of the biggest home security companies in America. And we know that minutes later, somebody who was not an ADT employee was logged into ADT’s Salesforce instance, vacuuming up customer records.

Eleven gigabytes of them.

ADT detected the breach on April 20th. They sat on it for four days. On April 24th, the ransomware crew known as ShinyHunters posted ADT to their leak site with a deadline. The note said, in their words, this was a final warning before “several annoying digital problems” came ADT’s way. ADT did not pay. On April 27th, ShinyHunters dumped the archive online. Have I Been Pwned ingested it the same day and confirmed 5.5 million unique email addresses, names, phone numbers, addresses, and for some unlucky percentage, dates of birth and the last four of their Social Security numbers.

ADT’s official statement leaned hard on what the attackers didn’t get. No payment information. No security system access. The home alarm panel on your wall is fine. They want you to know the home alarm panel on your wall is fine.

Here’s what they’re not putting in the press release. ShinyHunters has now run this exact playbook against M&S, Co-op, Cisco, Google, Allianz Life, Wynn Resorts, Harvard, McGraw-Hill, Workday, and as of last week, Medtronic. There’s no zero-day. There’s no clever malware. There’s a guy on a phone, and there’s an employee who picks up.

Now let’s bring this home. Your front desk has a Sarah. So does every dental practice in Johnston County. So does every law firm in Raleigh. Your Sarah has the same single sign-on you have, because that’s how cloud apps work in 2026. The hire who started Tuesday and the founding partner have identical access to the same systems, separated by nothing but a six-character password and whatever multi-factor app the IT guy set up three years ago.

The home security company couldn’t keep itself secure. Read that sentence twice. Then think about what your front desk knows about phishing.

Tuesday morning, April 22nd. Somebody in Necedah, Wisconsin walks up to the pharmacy counter at the Mile Bluff outreach clinic to pick up a prescription. The pharmacist looks at them with the look you give when you’re about to deliver bad news to a regular customer. The system is down. The pharmacy at this location can’t fill anything today. If they need that prescription, they need to drive to the main hospital in Mauston.

Necedah to Mauston is twenty miles. Elroy to Mauston is twenty-five. New Lisbon is closer, but for somebody on a fixed income who timed their week around a refill, twenty miles is a different kind of distance.

Mile Bluff Medical Center is a 40-bed acute-care hospital serving Juneau County, about 50,000 people in central Wisconsin. The kind of place where the same family has been taking their kids for forty years. That morning, the IT staff confirmed what nobody at a small hospital ever wants to confirm. They had a security event involving data encryption. The phones were unreliable. The computers were down. Clinical staff went to paper.

Going to paper sounds like a workaround. It is. It also means somebody in the ER is writing down a patient’s medication list with a Bic pen on a clipboard, while the patient tries to remember exactly what dosage they were on. It means a nurse is calling another nurse on a personal cell phone because the desk phones aren’t routing right. It means every workflow that used to take thirty seconds takes ten minutes, and every minute matters when you have one nurse covering three rooms.

CEO Dara Bartels put out a statement saying the team was working to fully restore systems and that they’d share more once they understood what data, if anything, was touched. As of this writing nobody has claimed it publicly. No ransomware group has posted Mile Bluff to a leak site. That doesn’t mean the data is safe. It means the negotiation is still happening behind the scenes, or the attackers are still going through what they took.

Here’s the part nobody in healthcare wants to admit. The “we’re too small to be a target” defense died years ago. Ransomware crews specifically prefer small rural hospitals because they have less IT staff, fewer security tools, and less ability to absorb downtime. A 40-bed hospital with one IT director and an outsourced MSP is not flying under the radar. It’s the sweet spot.

If you run a dental practice or a medical clinic and you don’t have a written downtime procedure that your front desk has actually practiced, you don’t have a downtime procedure. You have a hope.

Winona County sits on the Mississippi River in southeast Minnesota. Population fifty thousand. The county building is old and brick and looks exactly like the kind of county building that would have a hand-lettered sign on the door telling you which window to go to for vehicle tabs. On Monday morning, April 6th, somebody at that building tried to log in and couldn’t. By lunchtime they knew it was ransomware. By Tuesday morning, the governor of Minnesota had signed an executive order activating the National Guard’s Cyber Protection Team.

This was the second ransomware attack on Winona County in 100 days.

The first one hit in January and took 30 days to fully clean up. They thought they were done. They thought they’d locked the doors. Different threat actor this time, different entry point, same outcome. DMV services offline. Birth and death certificates offline. Property records offline. If you needed a driver’s license renewed in Winona County in mid-April, you got in your car and drove to the next county.

County workers went to paper and pen. For most of two weeks. The 911 dispatch never went down (the county was very public about that, and rightly so). Fire and ambulance never went down. But the unglamorous machinery of small-town government, the part that issues permits and certifies marriages and tracks who owns what acre of farmland, that all stopped.

That quote right there is the whole story. Winona County had a plan. The plan worked. Not perfectly. They still got hit, twice. But they kept their courthouse running on legal pads while the National Guard tripled the size of their incident response team. They restored systems on April 24th. They never disclosed whether they paid a ransom. The criminal investigation is still ongoing.

Two attacks in 100 days is the new baseline for county government, school districts, and small municipal utilities. There aren’t enough IT people in rural America to defend every clerk’s office in every town hall. The threat actors know it. They run automated scans across the entire internet looking for one unpatched VPN appliance, one exposed remote desktop port, one leaked credential, and they walk in.

If you’re on a town council, a school board, or a county commission and you’re still treating cybersecurity as a line item that competes with paving roads, you’ve already lost the next attack. You just don’t know it yet.

Friday morning, April 24th. A mom in Grand Rapids loads two kids in the minivan to go to the library, because Friday morning at the library is what they do. She pulls into the parking lot and the lights are off. There’s a sign on the door. The Kent District Library system, all 22 branches across Kent County, is closed.

Closed Friday. Closed Saturday. Closed Sunday. Closed Monday morning. A weekend gone for kids who had homework due, parents who needed to print tax forms, immigrants and refugees who use library computers to file their paperwork because they don’t have a computer at home, retirees who came to read the paper.

On Monday afternoon, KDL emailed every patron in the system. The email used the word ransomware. The email said the library had been hit, that the team had brought in outside investigators, and that they were working to understand what data, if any, had been touched. Standard breach notification language. Then the email said something else. It told patrons that if they had ever reused their KDL account password anywhere else, they should go change those passwords now. Especially their bank.

A library is asking you to change your bank password.

That sentence is the most honest thing any breach victim has said this month. They didn’t dance around it. They didn’t say “out of an abundance of caution we recommend reviewing your account hygiene.” They said: if your library password is also your Chase password, your Chase password is now in somebody’s database in a country we can’t extradite from.

Four branches reopened at noon on Monday. Cascade. Kentwood. Plainfield. Wyoming. The other 18 stayed dark. Even at the open branches, the public computers were unavailable. The printers were unavailable. The gaming labs were unavailable. The Kristin Hannah author event got bumped to May. The librarians are checking books out by hand on paper slips, like 1987 with better posture.

Across town, Cherry Health, the largest federally qualified community health center in Michigan, was simultaneously dealing with what they were calling an “organizationwide technology issue” affecting their phones. They were careful not to call it a cyberattack. The local TV stations were less careful.

Two community-serving institutions in the same metro, on the same weekend, both telling people their systems were down. The kids couldn’t print their book reports. The patients couldn’t reach their doctors. Whoever did this didn’t care about either.

Thursday, April 24th. Somewhere in Washington D.C., a press release goes live on the HHS website. Then another. Then a third. Then a fourth. The Office for Civil Rights, the federal agency that enforces HIPAA, just announced four ransomware-related settlements at the same time. Total fines: 1.165 million dollars. Combined patient data exposed across the four cases: more than 427,000 people.

Every single one of those four settlements came down to the same thing: the practice never did a real HIPAA risk analysis before they got hit. Not paperwork, not an MSP checklist, not a vendor’s compliance dashboard with green checkmarks on it. An actual document, signed by leadership, that says here’s what data we have, here’s where it lives, here’s what could go wrong, and here’s what we’re doing about each of those things.

Pay attention to that third one. Star Group is a self-funded employer health plan, which means it’s the company itself acting as the insurance, not Aetna or Blue Cross. OCR went after the employer plan as the covered entity. Not the carrier, the employer. Every law firm, every dental DSO, every regional medical practice that runs a self-funded plan to save money on benefits just got told they’re personally on the hook for the next ransomware attack.

And pay attention to the fourth one. Consociate is the third-party administrator, the vendor that processes claims for somebody else’s plan. They got fined too. The covered entity gets fined. The business associate gets fined. Everybody in the chain gets fined. The MSP that’s supposed to be running your security gets fined.

OCR Director Paula Stannard put it in the press release in the most boring possible language: hacking and ransomware are the most frequent type of large breach, and proactively implementing the Security Rule before a breach is the law and your best chance to mitigate harm. Boring language. Not a boring message. The message is that the federal government is going to keep finding the practices that didn’t do a risk analysis, and the federal government is going to keep fining them.

A real risk analysis costs less than the smallest fine on that list. By a lot.

Every story this week comes back to the same thing. ADT got walked through giving up credentials by somebody on a phone. Mile Bluff and Winona County and Kent District Library got owned because somewhere in their environment, something was exposed that shouldn’t have been, and nobody caught it before the bad guys did. The four practices OCR fined got hit because they hadn’t even sat down to write the document that would have told them where their weak spots were.

The pattern is people. Every breach this week is a story about a person making a decision under pressure with bad information. The vishing call lands when somebody’s in the middle of three other things. The Okta credentials get typed when the voice on the phone sounds urgent and helpful. The risk analysis never gets done because the practice manager has eight other things on her plate and nobody at the top of the org chart made it a priority.

You can’t buy your way out of this with a firewall. The expensive firewall doesn’t stop the phone call. You can’t outsource your way out of it either, because the MSP doesn’t sit at your front desk. What you can do is make sure the people on your team know the rules of the road, and make sure the systems they touch every day are configured well enough that one bad click doesn’t cost you the company.

That’s it. That’s the whole game. See you next week.