Cyber Incident Victim: HLA Grupo Hospitalario
Date:
Mar 2023
Location:
Spain
Summary
A Spanish healthcare provider suffered a data exposure after a misconfigured web server permitted unauthorized access to patient and medical professional information. The compromised data, consisting of 45,000 patient records and details on 1,600 doctors, was subsequently listed for sale on a cybercrime forum, with samples provided to substantiate the claim. The threat actor asserted responsibility for obtaining the information and offered the full dataset for a negotiable price. The healthcare group's parent company acknowledged investigating the alert but could not confirm the purported theft or its scale at the time, having not responded to direct inquiries about the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 14, 2023, a user on BreachForums advertised the sale of data allegedly stolen from HLA Grupo Hospitalario, a Spanish hospital group owned by Asisa. The listing claimed to contain 45,000 patient records and information on 1,600 doctors, with samples provided to substantiate the offer. The seller privately disclosed to investigators that the data originated from a misconfigured web server compromised on March 10. They set an initial asking price of $300 for the complete dataset but indicated willingness to negotiate. HLA Grupo Hospitalario operates 18 hospitals and 17 medical centers across Spain, amplifying potential impacts due to the sensitive nature of healthcare data involved. Parent company Asisa acknowledged awareness of the situation and initiated security protocols but declined to confirm either the data breach or its purported scale when contacted by media. Despite multiple inquiries from multiple outlets, including a direct email request from DataBreaches, HLA Grupo Hospitalario provided no public statement or confirmation of the incident’s validity by March 17.
The advertised data, if verified, would constitute a significant exposure of protected health information and professional details affecting both patients and medical personnel. Asisa’s activation of security measures suggested internal recognition of potential compromise, though no technical specifics regarding detection methods or containment procedures were disclosed. The threat actor’s characterization of the intrusion as exploiting a web server misconfiguration implied possible unsecured storage of sensitive records, but no forensic evidence substantiating this claim was made public. No ransomware component or explicit extortion demand beyond the data sale listing surfaced in available reports. The lack of organizational confirmation left critical uncertainties unresolved regarding actual data exfiltration volumes, operational disruptions, or remediation efforts. Meanwhile, the presence of sample data in the forum listing increased credibility concerns about the authenticity and freshness of the records being marketed.