Cyber Incident Victim: Val Verde Regional Medical Center

On or around March 10, 2022, Val Verde Regional Medical Center (VVRMC) experienced a ransomware attack attributed to the LockBit group. LockBit claimed to have compromised the Texas-based hospital and exfiltrated 96,000 patient records containing sensitive personal and medical information. The attackers listed VVRMC on their data leak site on March 16, 2022, providing samples of the stolen records. These records included structured data fields such as PatientID, Social Security numbers, dates of birth, addresses, contact information, employer details, guarantor information, and medical provider data. Between March 17-18, DataBreaches.net attempted to contact VVRMC for confirmation but received no response. Shortly after the initial listing, LockBit released approximately 400 MB of patient data on the dark web, though the hospital remained publicly silent about the breach at this stage.

VVRMC eventually acknowledged the incident through a press release and website notice on May 26, 2022, confirming the March 10 breach date but omitting any reference to LockBit or the dark web data dumps. By this time, LockBit had escalated their disclosure by releasing what they claimed was 150 GB of additional hospital files on April 8. The hospital’s notification did not specify the number of affected individuals, and the incident remained absent from HHS’s public breach portal as of May 26. On May 27, 2022, HHS records revealed that VVRMC had reported the breach as impacting 86,562 patients. Throughout the two-month period between the initial attack and official acknowledgment, no public statements, website alerts, or media advisories from VVRMC were identified by external observers, leaving the scope of compromised data and mitigation efforts unclear based on available evidence. The confirmed consequences included the exposure of highly sensitive patient demographics, financial identifiers, and medical details across multiple unauthorized data releases.