Incident Overview

A threat actor operating under the handle "aming" claims to be selling a MySQL database backup from Guangdong Medical University Affiliated Hospital (广东医科大学附属医院), a major comprehensive tertiary Grade A hospital (三级甲等医院) located in Zhanjiang, Guangdong Province, China. The hospital serves as a primary medical, teaching, and research center in the region and includes a comprehensive hemodialysis center.

According to the detailed "Database Institution Ownership Analysis Report" posted by the threat actor, the database file is named `mysql_full_20251223_012617.sql`, is 1.4GB in size, uses MySQL version 5.7.36, and was created using mysqldump 10.13. The data period spans May 21, 2025 to December 15, 2025 with a backup date of December 23, 2025. The database supports a Hemodialysis Clinical Management System with capabilities including real-time patient monitoring during dialysis sessions, medication order management, clinical communication and alerts, medical record keeping, and compliance reporting. Key identifiers include Tenant ID 20071, Hospital ID 20071001. The post includes evidence chain analysis showing 50+ patient records in the `hd_patient_pathway_info` table and 12+ recurring entries in system job logs.