Cyber Incident Victim: Hospital Centro de Andalucia
Date:
Dec 2021
Location:
Spain
Summary
Hospital Centro de Andalucia, a private facility operated by Amaveca Salud, suffered a ransomware attack by the Vice Society group, which compromised two domains and exfiltrated data. The organization refused ransom demands, restored operations using unaffected backups, and reported the incident to Spanish authorities while forensic analysis continued. The attackers leaked 127 GB of compressed files containing internal documents, employee records—including COVID-19 status, identification copies, and contracts—alongside limited patient data such as test results, consent forms, medical reports, and appointment details. Amaveca Salud acknowledged the breach impacted the hospital but did not confirm wider organizational effects, pending completion of its investigation to determine GDPR notification requirements.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-December 2021, Vice Society ransomware actors targeted Hospital Centro de Andalucia, a private healthcare facility operated by Amaveca Salud in Lucena, Spain. The attackers compromised two domains within the organization’s network, exfiltrating data and deploying ransomware. Amaveca Salud declined to pay the ransom demand and initiated incident response procedures, including restoring systems from unaffected backups. This restoration allowed the hospital to resume normal operations quickly, with no reported disruption to patient care services. The incident remained undisclosed publicly until Vice Society listed the hospital on their data leak site and released approximately 127 GB of compressed stolen data in December 2021. Amaveca Salud confirmed the cyberattack in a January 11, 2022, website statement, noting they had reported the breach to Spain’s National Police and the Spanish Data Protection Agency (AEPD). The hospital acknowledged forensic analysis was ongoing to determine the exact scope and types of data compromised but emphasized no operational interruptions occurred due to their rapid containment actions.
The leaked data, reviewed by DataBreaches.net, contained internal organizational documents such as invoices, budgets, commercial contracts, and employee records, including COVID-19 vaccination statuses, photocopies of national identity documents (DNIs), resumes, and employment contracts. Patient-related files were also identified, encompassing COVID-19 test results, treatment consent forms, medical reports, mammography appointments, outpatient visit details, and laboratory records containing demographic, insurance, and clinical information. Vice Society asserted they extracted data from both targeted domains, contradicting Amaveca Salud’s initial implication that only the hospital was affected. The hospital’s forensic team continued investigating the full extent of the breach, pending completion of which they would issue detailed notifications to comply with GDPR and national data protection laws. No evidence suggested ransomware impacted other Amaveca Salud facilities beyond Hospital Centro de Andalucia at the time of reporting.