Cyber Incident Victim: Servei de Salut de les Illes Balears

On or around January 1, 2022, the Servei de Salut de les Illes Balears (IB-Salut), the public health service of Spain's Balearic Islands, publicly disclosed a cyberattack that had occurred approximately two weeks earlier in mid-December 2021. The incident impacted all public health centers and hospitals under IB-Salut's jurisdiction across the archipelago. Authorities delayed public notification until the new year, though internal containment measures were implemented immediately following detection. Initial response actions required all employees to reset their passwords as a precautionary security measure. Network access restrictions were also imposed across the health service's infrastructure, significantly limiting internet usage to prevent potential lateral movement or data exfiltration by attackers. The organization did not initially characterize the attack type or identify threat actors involved.

The cyberattack's primary operational impact centered on disrupting administrative and clinical workflows through enforced internet restrictions, though clinical care continuity was maintained. IB-Salut and the Balearic Islands regional government declined to confirm whether patient health records, personally identifiable information, or other sensitive data were compromised during the breach. No ransomware claims or data leak threats were publicly acknowledged at the time of disclosure. The incident response focused on credential security and network segmentation rather than system restoration, suggesting no confirmed encryption or destructive payload deployment. Ongoing investigations by regional authorities failed to produce immediate public updates regarding attack vectors, attribution, or definitive evidence of data theft affecting patients or employees.