Cyber Incident Victim: Puerto Rico Women And Children’s Hospital
Date:
Jul 2019
Location:
United States of America
Summary
A ransomware attack targeted Bayamón Medical Center and its affiliated Puerto Rico Women And Children’s Hospital, encrypting files and potentially compromising data for over 520,000 patients collectively. The hospitals notified federal authorities and the public about the incident but withheld specifics regarding the intrusion method, ransom demands, or full recovery status of affected records. The breach exposed sensitive information of approximately 422,500 individuals at Bayamón Medical Center and nearly 100,000 at the affiliated facility, though no evidence of data misuse was confirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 19, 2019, Bayamón Medical Center and Puerto Rico Women And Children’s Hospital jointly disclosed a ransomware incident affecting their operations. The hospitals characterized the event as a “recent” security breach that resulted in the encryption of files within their systems. While the public notification occurred on July 19, the exact timeline of the initial intrusion and encryption activity remained unspecified in their announcement. Neither hospital revealed technical details regarding the ransomware variant employed, the initial attack vector, or whether threat actors exfiltrated data prior to encryption. The incident prompted formal notifications to the U.S. Department of Health and Human Services (HHS) in compliance with federal breach reporting requirements. Bayamón Medical Center reported 422,496 potentially affected patients, while Puerto Rico Women And Children’s Hospital reported 99,943 potentially impacted individuals, creating a combined exposure exceeding 520,000 patients across both facilities. The hospitals did not disclose whether they engaged with the attackers, paid ransom demands, or possessed functional backups to restore systems without negotiation. Operational impacts included disruption to file access due to encryption, though the duration of system unavailability and specific clinical services affected were not detailed in the public statement.
The breach notification lacked specifics regarding detection methods, internal investigation findings, or containment procedures implemented following the ransomware deployment. Both entities issued a joint press release acknowledging the encryption event but omitted technical remediation steps or third-party forensic support involvement. Patient data potentially accessible to attackers due to file encryption remained undefined, with no confirmation of whether protected health information (PHI) was viewed or copied. The hospitals did not outline credit monitoring or identity protection services offered to affected individuals beyond the HHS-mandated disclosure. Recovery status—including whether all patient records were fully restored—remained undisclosed at the time of reporting. The incident highlighted systemic vulnerabilities within the affiliated healthcare providers but yielded no public attribution to specific threat actors or ransomware groups. Ongoing operational challenges post-incident were not quantified, leaving the long-term financial and reputational consequences unaddressed in available communications.