A previously unseen ransomware crew calling itself Crpx O has announced its arrival in blunt fashion, listing six healthcare organizations on its dark web leak site on a single day. Five of the six are small dental practices in the United States, an unusually narrow debut that points to a group hunting soft targets rich in sensitive patient data. As with every leak site listing, these are unverified extortion claims posted by the attackers themselves, not confirmed breaches.
According to the group's own data-leak blog, all six victims were named on 2026-07-09, the first day Crpx O has appeared in IntelFusions tracking. The named organizations are Creative Smiles Pediatric Dentistry, SF Smile Doctor, Bishop Arts Dental PLLC, Top Notch Dentistry of Dallas and Benjamin H. Wang DDS Inc. in the US, alongside AMHWA Biopharm Co., Ltd. in China. Every listing is categorized as healthcare.
Why dental offices
Small dental and specialty medical practices have become a favorite of extortion crews for consistent reasons: they hold highly sensitive protected health information (patient names, dates of birth, Social Security and insurance numbers, and clinical or imaging records) while typically running on modest IT budgets with little in house security. Many outsource their systems to a managed service provider or share a common practice management and imaging platform, so a single upstream compromise can expose a cluster of unrelated clinics at once.
The fact that five US dental practices surfaced on the same day, from the same brand new crew, is the detail worth watching. It is consistent with either automated hunting of exposed remote access on dental office networks or a breach at a shared vendor or MSP that serves several of the named practices. IntelFusions has not confirmed a common supplier, and Crpx O has published no ransom demands, data samples, or intrusion details that would settle the question.
How much to believe
Because Crpx O has no prior track record, its tradecraft, encryptor, and origins are unknown, and there is no way yet to gauge whether it both steals and encrypts data or simply steals and extorts. Leak site debuts are frequently padded with old or recycled victims to manufacture credibility, so the roster should be treated as claims until an affected practice confirms an incident. New crews naming a burst of victims on day one is now a familiar pattern, echoing the recent debut of Booba Project and the US clinic focused Genesis operation. You can follow new listings on the Crpx O profile.
What healthcare providers should do
Dental and small medical practices, and the MSPs that serve them, should treat this as a prompt to verify that offline, tested backups exist, that multi factor authentication is enforced on all remote access and email, and that any shared practice management or imaging platform is patched and monitored. Practices that appear on the list should assume patient data may be exposed, preserve logs, and prepare breach notification obligations under HIPAA even before the claim is verified.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.