In a troubling development for the healthcare sector, a cybercriminal group known as Rhysida has publicly claimed responsibility for a data breach at a U.S. medical manufacturing company called Cytek Biosciences. According to reports, the attackers not only stole sensitive information but also allegedly sold it to third parties on underground data markets.

What Happened in the Breach?

The attack occurred in November 2025, when Rhysida targeted Cytek Biosciences, a firm based in Fremont, California that produces specialized instruments used in biological research and clinical diagnostics. The group listed Cytek on its own “data leak” site—an illicit platform where cybercriminals showcase stolen information and offer it for sale. To support its claim, Rhysida posted sample documents that it says were taken from Cytek’s systems.

While Rhysida’s announcement states that the stolen data has been sold, Cytek has not publicly confirmed the group’s claims or acknowledged the sale. Independent verification of the authenticity of the leaked samples is also lacking. It remains unclear whether the company paid a ransom, how the attackers gained access, and exactly how many records may have been compromised.

What Kind of Data Was Stolen?

According to Cytek’s breach notification sent in November to individuals affected by the incident, the compromised data included a wide range of highly sensitive personal details:

• Full names
• Social Security numbers
• Health and medical information
• Financial and compensation records
• Employee usernames and passwords
• Mailing and email addresses
• Phone numbers and dates of birth
• Driver’s license or other government ID numbers
• Signatures and citizenship information

This breadth of information significantly increases the risk of identity theft, financial fraud, and other harmful misuse of personal data.

Who Is Rhysida?

Rhysida is a ransomware group that has been active since May 2023. It operates a ransomware-as-a-service (RaaS) model, meaning affiliates can use its malware infrastructure to launch attacks and share in the profits. Since its emergence, it has claimed responsibility for hundreds of ransomware incidents, often demanding ransom payments both to decrypt systems and to prevent the release of stolen data.

The Cytek incident is particularly notable because it marks the group’s first confirmed attack on a medical manufacturer, distinguishing it from prior targets that tended to be healthcare providers such as hospitals and clinics.

Rising Threats to Healthcare Manufacturers

According to recent data compiled by Comparitech researchers, there has been an uptick in ransomware attacks on U.S. healthcare businesses that don’t provide direct care, including medical manufacturers, pharmaceutical vendors, and medical software developers. In 2025 alone, such attacks have affected well over 5.8 million records, with other incidents involving companies like Fieldtex Products and Avosina Healthcare Solutions.

These breaches not only disrupt the victims’ operations but can also expose sensitive information belonging to patients, partners, and employees—creating ripple effects across the healthcare system.

What Comes Next?

Cytek has offered 24 months of free identity theft protection through a third-party service to eligible individuals who were notified of the breach. Meanwhile, cybersecurity experts continue to emphasize the importance of robust defenses, incident response planning, and regular security audits, particularly for organizations in the medical and healthcare sectors.