Cyber Incident Victim: Bayamón Medical Center
Date:
Jul 2019
Location:
United States of America
Summary
A ransomware attack impacted Bayamón Medical Center and its affiliated Puerto Rico Women And Children’s Hospital, encrypting files and potentially exposing patient data. The incident affected over 520,000 individuals across both healthcare facilities, with the medical center reporting approximately 422,500 potentially compromised records and the women and children’s hospital reporting nearly 100,000. The hospitals notified federal health authorities and the public about the security breach but did not disclose whether a ransom was paid, the method of ransomware infiltration, or the status of data recovery efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 19, 2019, Bayamón Medical Center and its affiliated Puerto Rico Women And Children’s Hospital publicly disclosed a ransomware incident that encrypted files within their systems. The hospitals characterized the event as "recent" but provided no specific timeline for the initial intrusion or encryption activity. A joint notification was submitted to the U.S. Department of Health and Human Services (HHS) on the same date, fulfilling regulatory obligations for breaches affecting protected health information. The hospitals did not disclose technical details regarding the ransomware variant employed, the initial attack vector, or whether data exfiltration occurred alongside file encryption. No information was released about containment procedures, system restoration methods, or whether a ransom payment was made to the attackers. The public statement confirmed the incident resulted in operational disruption due to file encryption but omitted specifics about affected clinical systems, downtime duration, or alternate care protocols implemented during recovery.
The incident potentially compromised the protected health information of 522,439 patients collectively, with Bayamón Medical Center reporting 422,496 affected individuals and Puerto Rico Women And Children’s Hospital reporting 99,943 impacted patients. Neither institution specified the types of data exposed in the encrypted files, leaving the scope of potential identity theft or fraud risks undefined. The hospitals issued a joint press release acknowledging the event but did not describe any patient notification procedures, credit monitoring offerings, or identity theft protection services provided to affected individuals. No law enforcement agency involvement or forensic investigation findings were referenced in the public disclosure. The lack of technical and procedural details in the notification hindered public assessment of the attack's sophistication, operational impact severity, and adequacy of response measures. Both facilities resumed normal operations post-incident but did not publicly confirm whether all patient records were fully recovered from backups or decrypted.