Airdrie Physiotherapy Data Breach: 54 GB of Sensitive Patient Data Stolen by M3RX Ransomware Group

On April 29, 2026, the ransomware group M3RX publicly claimed responsibility for attacking Airdrie Physiotherapy & Massage, a multi-disciplinary healthcare clinic in Airdrie, Alberta, Canada. The attackers exfiltrated 54 GB of data containing approximately 116,000 files.

The clinic offers physiotherapy, massage therapy, acupuncture, laser therapy, vestibular therapy, and other rehabilitation and wellness services. Like many small to mid-sized healthcare providers, it handles highly sensitive patient information—including personal details, medical histories, treatment records, and potentially insurance or billing data.

What Happened

M3RX added airdriephysio.com to their dark web leak site and posted a description of the victim along with the volume of stolen data. The group is threatening to publicly release or further exploit the information unless their demands are met. As of the latest reports, the full dataset has not been broadly published, but the mere theft of 54 GB from a healthcare provider represents a serious exposure risk for patients.

This incident fits a growing pattern: opportunistic ransomware groups targeting smaller healthcare organizations that often operate with limited IT resources and basic cybersecurity controls. Patient health records remain extremely valuable on the dark web, fetching high prices due to their potential for identity theft, insurance fraud, and targeted scams.

Why This Matters

Even a “small local clinic” breach can have outsized consequences:

• Patients face risks of identity theft, medical fraud, and privacy violations involving their health conditions and treatments.

• The clinic must deal with regulatory notifications under Canadian privacy laws (such as PIPEDA or Alberta’s PIPA), potential fines, reputational damage, and operational disruption.

• Broader healthcare sector: These attacks highlight how limited budgets for advanced monitoring, patching, and employee training leave valuable data exposed.

Small and medium-sized healthcare providers are frequent targets precisely because they possess the same sensitive data as larger hospitals but often lack enterprise-grade defenses.

Don’t let your patient or client data become the next headline.

If you run a physiotherapy clinic, medical practice, wellness center, or any organization handling personal health information, now is the time to act. Basic antivirus and firewalls are no longer enough against modern ransomware groups like M3RX.

Schedule a free vulnerability scan with Mojave IT Pros today.

Our team will identify the exact gaps—unpatched systems, weak access controls, insufficient monitoring, or misconfigured backups—that allowed attackers to quietly exfiltrate 54 GB in this case. We’ll help you close those vulnerabilities before threat actors do it for you.
Protecting patient trust and complying with privacy regulations starts with proactive security, not reactive damage control.

Contact Mojave IT Pros now for your complimentary vulnerability assessment and take the first critical step toward robust cyber resilience.

Stay vigilant. Secure your practice. Safeguard your patients.