Cyber Incident Victim: Mission Health

On May 1, 2023, Mission Community Hospital initiated an investigation into a network switch failure. During the course of this investigation, evidence of a broader network compromise was discovered. The hospital, based in Panorama City, California and owned by Deanco Healthcare, LLC, continued its investigation and determined that a ransomware group had accessed its IT network. The intrusion was attributed to vulnerabilities existing within both the hospital's general network infrastructure and its specific VMware environments. The hospital did not publicly disclose the incident at this initial stage as its internal investigation was ongoing.

Subsequently, on May 31, 2023, the well-known ransomware group RansomHouse publicly claimed responsibility for an attack on Mission Community Hospital. The group added the hospital to its victim list and asserted it had successfully exfiltrated 2.5 terabytes of data from the hospital's systems. As proof of their claims, RansomHouse provided several files allegedly taken during the attack. The group specifically claimed the stolen data included a large amount of confidential patient information. This public disclosure by the threat actor brought the incident to wider attention, with the website databreaches.net reporting on the ransomware group's claims.

In direct response to the public claims made by RansomHouse, legal counsel for Mission Community Hospital released a confirmatory letter on June 1, 2023. This letter officially acknowledged that a cyberattack had occurred, validating the core claims made by the ransomware group. The hospital's statement confirmed the initial detection timeline, noting the discovery of the compromise while investigating the May 1st network switch failure. The hospital's investigation into the full scope and impact of the security incident remained active and was not yet finalized at the time of this confirmation.

The primary impact of the incident was the potential exposure of a vast quantity of sensitive patient data. As a healthcare provider serving the San Fernando Valley with 75 medical/surgical beds, 10 critical care beds, and 60 psychiatric care beds, Mission Community Hospital possesses a significant amount of confidential patient information. The majority of its services are provided to Medicare and Medi-Cal beneficiaries, making the data particularly sensitive. The ransomware group's claim of exfiltrating 2.5 TB of data, which they stated included patient information, indicated a breach of substantial scale. The types of specific data elements compromised, such as names, addresses, Social Security numbers, or medical records, were not immediately released by the hospital as its investigation was still working to finalize the details of what was accessed and acquired.

The hospital's response actions involved a continued internal investigation to determine the precise parameters of the data breach. This process was necessary to identify exactly which data types were impacted and which individuals were affected. Mission Community Hospital stated that once its investigation confirmed patient data was indeed compromised, it would be required to begin sending out formal data breach notification letters to all individuals whose information was involved in the incident. These letters are a standard regulatory requirement intended to inform victims of the exposure of their personal data. The hospital did not publicly disclose whether a ransom was demanded or paid, nor did it detail any specific steps taken to contain the breach or eradicate the threat actor from its systems beyond the initial discovery and investigation. The confirmed method of attack was exploitation of vulnerabilities in the network and VMware environments, though the specific technical details of these vulnerabilities were not disclosed. The incident involved a confirmed ransomware attack and a confirmed data exfiltration, as claimed by RansomHouse and acknowledged by the hospital. The full consequences regarding identity theft, fraud, or operational disruption were not detailed in the immediate aftermath of the public confirmation.