Cyber Incident Victim: Consorci Sanitari Integral
Date:
Oct 2022
Location:
Spain
Summary
A ransomware attack targeted Consorci Sanitari Integral, a public healthcare provider serving over a million patients annually, resulting in the theft and leak of 52GB of sensitive data including medical records and identity documents. The incident caused significant operational disruptions across multiple hospitals and health centers, with staff unable to access computerized patient records, diagnostic tests, medication plans, and email services for several days. Non-emergency services were particularly affected, forcing healthcare workers to rely on manual documentation and limiting consultations to urgent cases. The organization restored systems using cloud backups and implemented defensive measures such as network segmentation and firewall enhancements. Recovery efforts included updating over 3,000 computers and deploying new devices to primary care facilities. Authorities collaborated with cybersecurity and data protection agencies to investigate the breach and mitigate its impact.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 7, 2022, Consorci Sanitari Integral (CSI), a public healthcare provider serving over 1 million patients annually across Barcelona and Baix Llobregat, suffered a ransomware attack detected during early morning hours. The intrusion disrupted all 13 CSI facilities, including Dos de Maig Hospital in Barcelona, Creu Roja Hospital in l'Hospitalet, Moisès Broggi Hospital in Sant Joan Despí, 10 primary care centers (CAPs), two specialized care centers (CAEs), and two residential facilities. Attackers deployed malware that encrypted systems, blocking access to computerized patient records, diagnostic test results, medication plans, email services, and appointment scheduling software. Medical staff resorted to handwritten notes and telephone coordination for inpatient and emergency care, while non-urgent consultations, diagnostic imaging (including X-rays), and new patient appointments were suspended. Network segmentation and firewall configurations prevented total infrastructure collapse, though the attack forced three days of reduced operational capacity across all affected sites. Emergency services remained functional through contingency plans activated by Catalonia’s Cybersecurity Agency and Department of Health.
CSI confirmed full system restoration by October 11 using cloud-based backups, completing software updates on over 3,000 workstations and deploying replacement computers to primary care centers. The ransomware group RansomExx claimed responsibility, publishing 52GB of exfiltrated data on dark web forums containing medical test results, identity documents, and administrative records. Catalonia’s Data Protection Authority collaborated with CSI to assess breach scope while regional officials attributed the rapid containment to cybersecurity protocols developed in 2020. Operational disruptions delayed diagnostic services and elective procedures, though no critical care interruptions or patient safety incidents were reported. The incident marked Catalonia’s third major ransomware attack within 12 months, following breaches at Universitat Autònoma de Barcelona and regional government systems. CSI’s recovery required manual reconstruction of scheduling systems and temporary suspension of dependency assessment services in Barcelona and l'Hospitalet.