Cyber Incident Victim: Pacific Alliance Medical Center
Date:
Jun 2017
Location:
United States of America
Summary
Pacific Alliance Medical Center experienced a ransomware attack that encrypted files on its network, disrupting operations and potentially compromising sensitive patient and employee information. The organization promptly shut down affected systems, initiated forensic investigations with law enforcement, and restored data through decryption. Exposed information included names, Social Security numbers, health insurance details, medical treatment records, and diagnostic images. While no evidence indicated actual data theft or unauthorized access, precautionary notifications were issued to approximately 266,000 individuals alongside two years of complimentary identity theft protection services. Regulatory bodies including the U.S. Department of Health and Human Services and California authorities were informed of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 14, 2017, Pacific Alliance Medical Center (PAMC) identified a cyber incident affecting its networked computer systems, suspected to have begun on or shortly before that date. The hospital's Information Technology Department conducted a preliminary assessment confirming a ransomware infection that encrypted files, disrupting operations. PAMC immediately shut down affected systems, initiated incident response protocols, engaged forensic investigators through legal counsel, and reported the incident to the Federal Bureau of Investigation. The organization prioritized restoring system functionality, successfully decrypting the compromised files without paying ransom. Forensic analysis found no evidence that attackers viewed, copied, or exfiltrated patient or employee data, consistent with typical ransomware objectives focused on operational disruption rather than data theft. PAMC maintained operations throughout the recovery process while implementing enhanced security controls to prevent recurrence.
The incident potentially exposed sensitive information of 266,123 patients and employees stored on affected servers, including names, dates of birth, Social Security numbers, health insurance details, employment records, treatment histories, diagnoses, medical images, and demographic data. As a precautionary measure despite no confirmed data misuse, PAMC mailed breach notifications to all potentially impacted individuals by August 2017 and established a toll-free call center with extended operating hours. The organization offered two years of complimentary identity theft protection services and provided instructions for credit monitoring enrollment. Regulatory notifications were submitted to the U.S. Department of Health and Human Services Office for Civil Rights, California Department of Public Health, and California Attorney General. PAMC implemented strengthened virus detection systems and additional safeguards while advising affected individuals to monitor financial accounts and credit reports through established channels like AnnualCreditReport.com. Restoration of encrypted data and systems was completed without evidence of persistent attacker access following containment.