PIH Health hit by ransomware attack, hackers claim data breach of 17M people
Learn More
PIH Health, a Southern California healthcare provider was hit by a ransomware attack on December 1, 2024, causing widespread disruption across their network of three hospitals, urgent care centers, doctors' offices, and home health services.
The attack has paralyzed operations at PIH Health Downey Hospital, PIH Health Whittier Hospital, and PIH Health Good Samaritan Hospital in Los Angeles, forcing the healthcare system to revert to manual processes and emergency procedures. The impact on daily operations has been severe, with the attack disabling critical systems including patient health records, laboratory systems, pharmacy operations, radiology, patient registration, and most information technology infrastructure.
The threat actors claim to have exfiltrated approximately 2 terabytes of sensitive data, including an alleged 17 million patient records and data for over 8.1 million medical episodes. The stolen information reportedly includes:
- Patient personal information (addresses, phone numbers, employment details)
- Medical expenses records
- Confidential diagnoses and test results
- Patient photos and scans
- Cancer treatment records
- Oncology profitability and volume reports
- Private patient-provider email communications
- Approximately 100 active nondisclosure agreements
- Employee confidentiality agreements
The attackers provided screenshots of oncology reports and billing information, and delivered their demands via faxed letters to multiple PIH facilities.
IH Health maintains they continue to provide patient care safely using downtime procedures, the situation has forced significant operational changes. Staff members are relying on personal cell phones for patient communications, sharing limited hotspot connections, and reverting to paper-based documentation.
PIH Health is currently working with cyber forensic specialists and the FBI to investigate the incident. The organization has stated on their website that they have no confirmation of patient information being compromised, though they will notify affected individuals if such evidence emerges.
