Caribbean Medical Center Ransomware Attack Exposes 92,000 Patient Records

Caribbean Medical Center is a 25‑bed acute care hospital in Fajardo, Puerto Rico that provides emergency, inpatient, laboratory, radiology and specialty services around the clock. The facility serves pediatric, adult and geriatric patients and maintains an on‑site pharmacy and outpatient radiology. It operates 24 hours a day, every day of the year, providing emergency services, inpatient care, laboratory and X‑ray services, and medical specialties including internal medicine, cardiology, pediatrics and obstetrics. The hospital disclosed the breach to the U.S. Department of Health and Human Services after detecting suspicious activity through its internal monitoring systems.

The hospital’s press release dated Feb 8 2026 stated that containment and isolation measures were enacted with external cybersecurity experts, restoring normal network operations. At that time a technical analysis was underway to determine the full scope. On Feb 17 2026 the group The Gentlemen posted on a dark‑web forum via Tor that it had exfiltrated the hospital’s data and intended to release it within nine to ten days. The disclosed impact covers approximately 92,000 individuals whose personal and possibly protected health information may have been compromised. No specific date of the initial intrusion was provided, nor were the exact data elements listed in the announcement. The press release did not mention any credit‑monitoring, identity‑protection services or a dedicated call center for affected individuals at the time of announcement.

The incident illustrates a classic ransomware workflow: initial access, lateral movement, data exfiltration, and extortion. While the hospital’s rapid detection limited operational disruption, the attackers succeeded in stealing a large volume of records before containment. Defenders should prioritize mitigations that interrupt the attack chain: enforce multi‑factor authentication on remote access (MITRE ATT&CK T1078), block phishing‑laden attachments with email gateway rules (T1566), and apply patches for known vulnerabilities such as CVE‑2023‑23397 (Outlook privilege escalation) and CVE‑2022‑22965 (Spring4Shell) if applicable. Network segmentation between clinical and administrative systems reduces lateral movement (T1021). Deploy endpoint detection and response tools that flag credential dumping (T1003) and unusual data transfers (T1041). Maintain offline, encrypted backups tested quarterly to enable recovery without paying ransom. Monitor dark‑web mentions of the organization’s name and prepare a communication plan for potential data release. Because the breach involves protected health information, the incident triggers HIPAA breach notification requirements and may attract scrutiny from the Office for Civil Rights.