Cyber Incident Victim: Partnership Health Plan of California (PHC)
Date:
Mar 2022
Location:
United States of America
Summary
A Northern California nonprofit healthcare provider serving Medi-Cal beneficiaries experienced a ransomware attack by the Hive group, leading to system encryption and significant operational disruptions. The attackers claimed theft of 400 GB of data containing over 850,000 individuals' personal information, including names, Social Security numbers, and medical records. The organization's systems were rendered inoperable, forcing website replacement with a static notice, suspension of treatment authorization processing, and reliance on email communications excluding sensitive data. Hospitals were instructed to provide urgent care without prior approvals, submitting retroactive authorizations. Forensic experts were engaged to investigate the breach and restore services, while the ransomware group's dark web post—later deleted—highlighted the potential scale of what could be 2022's largest healthcare data compromise at the time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The ransomware attack on Partnership HealthPlan of California (PHC) began on or around March 19, 2022, when the Hive ransomware group encrypted the nonprofit's systems. PHC—serving over 610,000 Medi-Cal beneficiaries across 14 Northern California counties—first publicly acknowledged technical disruptions on March 21 by notifying a local health center of system outages. By March 24, regional media reported widespread operational impacts, prompting PHC to replace its website with a static notice confirming a cybersecurity incident. The organization disclosed it had engaged third-party forensic experts to investigate anomalous network activity and restore affected systems. Critical care coordination systems were disabled, including the inability to process Treatment Authorization Requests (TARs), forcing healthcare providers to deliver urgent services without prior approvals and submit retroactive authorizations for procedures scheduled within two weeks. Member services lines played recorded messages stating all systems were down with no estimated restoration time.
Hive ransomware operators claimed responsibility on their dark web leak site, alleging theft of 400 GB of data containing personally identifiable information (PII) for 850,000 individuals—a figure that would represent the largest healthcare breach of 2022 if verified. The stolen data reportedly included patient names, Social Security numbers, birthdates, addresses, and contact details. PHC acknowledged awareness of these claims but declined confirmation during the ongoing investigation. Hive listed PHC on its leak site on March 29 after initially encrypting systems ten days earlier. The attack mirrored Hive's 2021 healthcare targeting, which included the Memorial Health System incident where ransomware forced emergency department diversions and surgical cancellations. PHC's response prioritized contingency communications via email while warning against transmitting sensitive data through unsecured channels. No public evidence indicated PHC paid a ransom, contrasting with Memorial Health System's confirmed payment during Hive's 2021 attack. Operational disruptions persisted with no disclosed resolution timeline as forensic work continued.