Cyber Incident Victim: Hospital Joaquín Paz Borrero

On February 23, 2023, Joaquín Paz Borrero Hospital – part of the Northern Health Network (Red de Salud del Norte) in Cali, Colombia – experienced a ransomware attack disrupting its operations. The attackers encrypted data stored on the hospital's "server number 4," restricting access to critical information systems. A ransom note was left demanding contact within 72 hours to negotiate payment, with explicit warnings that delays would increase the financial penalty. Angie Gutiérrez, manager of ESE Norte, which oversees the hospital network, publicly confirmed the attackers did not specify a ransom amount but established the strict deadline for engagement. In response to the incident, the Cali District Government activated its predefined contingency plan to mitigate operational disruptions, though specific details of these emergency measures were not disclosed. The nature of the encrypted data – whether it included patient medical records, administrative systems, or other operational files – remained unverified by authorities at the time of reporting. The government declined to identify the ransomware variant involved or provide technical details about the intrusion vector, such as phishing, exploits, or compromised credentials. No evidence suggested stolen data was leaked prior to encryption, differentiating this incident from typical double-extortion ransomware campaigns observed elsewhere.

The attack forced Joaquín Paz Borrero Hospital into a reactive posture focused on containment and continuity, but official communications omitted specifics regarding service delays, canceled procedures, or impacts on patient care. The absence of public updates beyond the initial confirmation created ambiguity about the hospital's recovery timeline and the effectiveness of the contingency measures. Authorities did not disclose whether forensic investigations identified other compromised systems beyond server number 4 or if decryption attempts were underway. Similarly, they refrained from confirming or denying whether communication with the threat actors occurred prior to the 72-hour deadline expiring. The incident remained unresolved in public reporting, with no subsequent updates clarifying whether data was recovered, ransoms were paid, or law enforcement became involved. Prolonged silence from officials left the full operational and financial consequences unquantified, including potential costs associated with system restoration, lost revenue, or legal liabilities stemming from delayed medical services. This contrasts with contemporaneous incidents like the cyberattack on Chile’s FONASA, which acknowledged service disruptions but explicitly denied ransomware involvement and restored operations within days.