TridentLocker Picked The 9/11 First-Responder Health Program As Its Second Victim Of The Week. The Vertical Is Healthcare-Adjacent-Plus-Reputational-Lethality. Tampa Bay Dental Was The First.

TridentLocker posted the World Trade Center Health Program to its leak site today. The program enrolls approximately 130,000 first responders and survivors of the 9/11 attacks under the Zadroga Act and provides federally-administered medical monitoring and treatment for exposure-related illnesses — respiratory disease, cancers documented to be related to WTC dust exposure, mental health diagnoses tied to post-traumatic stress from the events themselves. The dataset is the kind of dataset where the records are not just sensitive but politically sacred in US public discourse. Veterans-advocacy organizations, congressional offices, and 9/11 memorial groups will dominate the press coverage of this incident for weeks.

It is TridentLocker's second leak-site post in seventy-two hours. The first was Tampa Bay Dental Implants and Prosthetics, posted to the same leak site on Memorial Day weekend with approximately six-thousand-four-hundred patient records. We covered it in the May 28 piece about the three other things that hit this week while everyone was looking at the Exchange CVE-2026-42897 deadline. Two HIPAA-regulated US healthcare targets within five days from a single mid-tier ransomware crew is not a coincidence. It is a vertical pattern emerging in real time.

The shared property across the two victims is worth naming precisely. Tampa Bay Dental is a small specialty practice with patient PHI that carries class-action exposure under HIPAA and Florida state-AG breach-notification statutes. The WTC Health Program is a federally-administered medical program with patient PHI plus exposure-illness diagnoses plus federal-incident-response implications. The shared structural property is healthcare-adjacent-plus-reputational-lethality. The leak-pressure-per-record ratio for both datasets is disproportionate to the raw record count because the press coverage of a leak generates regulatory and political pressure that translates into payment leverage faster than the actor would get from a generic enterprise PII breach of the same record count.

TridentLocker is a relatively new ransomware crew in the early-cycle iteration phase. No major IR firm has dropped a comprehensive technical write-up on its tradecraft yet. The victim count is small compared to the headline-grabbing actors but the targeting consistency is meaningful. When a new ransomware crew picks two HIPAA-regulated US targets in a single week, the crew is not random-walking through targets — it has settled on a vertical and is testing the operational tempo.

This is the second receipt for a frame we have been writing all week. The Coinbase Cartel confederation hit DentaQuest on May 23 in the dental-and-vision-insurance vertical. Five days later TridentLocker hit Tampa Bay Dental in the dental-care vertical. Two unrelated actors arriving at the dental vertical within five days is not coordination. It is two independent operators recognizing the same structural fragility — dental targets produce patient PHI and insurance PHI simultaneously, the class-action plaintiffs' bar has well-established playbooks for dental breaches because 2024 through 2026 has seen multiple, and the vertical's brand-protection budgets are smaller than the comparable medical-device or hospital-system targets. The dental vertical is in scope for multiple mid-tier ransomware actors at the same time because the dental vertical is structurally easier to breach and structurally harder to defend.

The WTC Health Program is a different kind of receipt. It is the politically charged receipt. The first dental case was about the vertical's fragility. The WTC case is about the actor's willingness to pick targets where the press coverage is guaranteed. A relatively unknown ransomware crew picking the WTC Health Program as its second public victim is making a marketing decision. The actor wants the press attention. The press attention drives the payment-leverage calculus because every news article quoting a veterans-advocacy organization or a congressional office adds pressure on Instructure-style settlement decisions.

What HIPAA-regulated healthcare organizations should do this week, in ascending order of operational cost:

First, audit your data-class inventory. Know which patient-data records in your environment carry the highest leak-pressure-per-record ratio — mental health treatment records, reproductive health records, addiction treatment records, records of patients enrolled in federally-administered programs, and any records bearing patient images or biometric data. Those records are not in the same risk class as generic billing records. They need different audit cadences and different breach-response playbooks.

Second, audit your contractor and third-party-vendor matrix. Both ShinyHunters at DentaQuest and TridentLocker at Tampa Bay Dental appear to be entering through third-party-credential routes — help-desk vendors, staff-augmentation contractors, managed-services partners with administrative reach into core systems. The contractor-access matrix is the unaudited surface for most mid-market healthcare organizations. Build the inventory this week. Audit which contractor credentials have multi-factor authentication enforced at the point of use, not just at the point of issuance.

Third, pre-write your ransom-incident decision tree at the executive-team level. Decide now — before a leak-site posting happens to you — what your public-statement posture is, who has authority to authorize a payment, and what your shred-logs-receipt threshold is. The worst time to write that policy is during the seventy-two hours between leak-site posting and the threatened-release deadline. The DentaQuest playbook of acknowledge-the-incident-publicly-within-days is procedurally defensible. The silence-then-negotiation playbook is also procedurally defensible within HIPAA's sixty-day discovery window. Different postures favor different outcomes. Knowing which posture your organization will take should not be a decision made under deadline pressure during an active incident.

Watch for TridentLocker's third victim within the next seven days. If a third HIPAA-regulated US healthcare target lands on their leak site, the actor's vertical fingerprint is confirmed at production scale and the public IR community will start producing tradecraft writeups. Watch for federal IR involvement on the WTC Health Program incident — HRSA, HHS, FBI — because federally-administered programs surface operator infrastructure through cooperating-agency channels that purely-private incidents do not produce. Those infrastructure surfaces will become the first comprehensive TridentLocker IOC additions to our index and to the broader threat-intelligence community's index.

The dental piece was the first receipt. The WTC piece is the second. The third receipt is coming. We will be watching, and so should every mid-market healthcare CISO whose data inventory includes anything with a higher reputational-lethality ratio than generic billing records.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com