Incransom posted two additional US victims on May 25, 2026 — Open Door Health Center, an Illinois community health organization, and PILLER AIMMCO, a custom plastic injection molding and tooling manufacturer — bringing the group’s two-day victim total to three organizations as it simultaneously pursues the UAE-based Meirc Training & Consulting breach disclosed the same day.
Open Door Health Center and PILLER AIMMCO: Incransom’s May 25 US Disclosures
The two May 25 US listings arrive alongside Incransom’s Meirc Training & Consulting posting — also disclosed on May 25 — creating a three-victim, 48-hour burst that spans Illinois healthcare, US manufacturing, and a Middle East professional training firm. The pattern indicates Incransom is running concurrent domestic and international campaigns rather than sequential single-target operations.
Incransom has not disclosed specific data volumes for either the Open Door Health Center or PILLER AIMMCO listings. The group’s historical pattern includes ransom payment deadlines of one to two weeks before exfiltrated data is published on its public leak portal.
Open Door Health Center’s HIPAA Obligations and Community Healthcare Data
Open Door Health Center is an Illinois-based community health organization that provides comprehensive primary care through a “medical home” model, serving patient populations that typically include uninsured and underinsured individuals, Medicaid beneficiaries, and vulnerable community members. Healthcare providers of this type hold HIPAA-regulated data: patient health records, treatment histories, insurance billing data, Social Security numbers, and demographic information for the communities they serve.
A confirmed breach would trigger mandatory HIPAA breach notification obligations and HHS reporting requirements. Every affected patient record must be counted, notified, and reported to HHS within 60 days of discovering the breach. The inclusion of a community health center — rather than a large hospital system — in Incransom’s victim batch reflects a broader 2026 pattern of ransomware groups targeting smaller and mid-size US healthcare providers that hold equally sensitive patient data but operate with materially weaker defensive postures than enterprise systems.
PILLER AIMMCO: Custom Mold Tooling Designs and Client Production IP at Risk
PILLER AIMMCO operates as a custom plastic injection molding and tooling company. Custom mold tooling designs, client product specifications, production contracts, and manufacturing process data are proprietary assets that create supply chain risk for PILLER AIMMCO’s industrial clients if exposed. A full-archive exfiltration from a custom manufacturer extends breach risk to each client whose product designs or production specifications were held in company systems.
Incransom’s pairing of a manufacturing victim with a healthcare provider in the same batch reflects the group’s sector-agnostic targeting model — using the healthcare listing’s regulatory and reputational visibility while simultaneously pursuing industrial intellectual property from the manufacturing victim.
Incransom’s Three-Victim, 48-Hour Posting Burst Across US and UAE
The May 24–25 window produced three Incransom disclosures: Meirc Training & Consulting (UAE, professional training and consulting), Open Door Health Center (Illinois, healthcare), and PILLER AIMMCO (USA, manufacturing). The breadth — spanning two continents, three sectors, and a mix of public-facing and industrial organizations — points to concurrent affiliate operations across multiple geographies.
Incransom had already posted a Spanish aerospace manufacturer, Mecanizados y Montajes Aeronáuticos, on May 23, 2026 — just two days before the US and UAE burst — suggesting the group or its affiliates were managing at least four active extortion timelines simultaneously across Europe, the Middle East, and North America in a single three-day period.
