Ransomware Attack on Hospital Caribbean Medical Center Affects 92,000 Individuals - The HIPAA Journal

Ransomware Attack on Hospital Caribbean Medical Center Affects 92,000 Individuals Posted By Steve Alder on Apr 22, 2026 A ransomware attack on Hospital Caribbean Medical Center in Puerto Rico has affected up to 92,000 individuals. Data breaches have also been announced by Murray County Medical Center in Minnesota and Aligned Orthopedic Partners in Maryland. Hospital Caribbean Medical Center, Puerto Rico A major data breach has been announced by Hospital Caribbean Medical Center in Fajardo, Puerto Rico. While it is unclear when the attack occurred, the hospital issued a press release on February 8, 2026, about a cyberattack that targeted its information systems. The intrusion was detected by its monitoring systems, and steps were immediately taken to contain the incident and prevent further unauthorized access to its IT systems. The types of information exposed in the incident were not detailed in the press release, nor was the number of affected individuals; however, the incident is now shown on the HHS’ Office for Civil Rights breach portal as affecting up to 92,000 individuals. Hospital Caribbean Medical Center said it has reinforced its monitoring systems, implemented additional updates to its technological infrastructure, and strengthened its internal security protocols. While not described as a ransomware attack, a ransomware group claimed responsibility for the incident. A group known as The Gentlemen added Hospital Caribbean Medical Center to its dark web data leak site on February 17, 2026, claiming to have exfiltrated sensitive data, including patient information, and threatened to release the stolen data if the ransom was not paid. Get The FREE HIPAA Compliance Checklist Immediate Delivery of Checklist Link To Your Email Address Business Email * Name * First Last Number * Company Name * Get Free Checklist Please Enter Correct Email Address Your Privacy Respected HIPAA Journal Privacy Policy Murray County Medical Center, Minnesota The County of Murray has announced a data security incident that affected current and former patients of Murray County Medical Center in Slayton, Minnesota. The data breach was first announced in early March 2026, although the incident was first detected on August 21, 2025, when suspicious activity was observed in its IT systems. A leading IT security firm was engaged to assist with the investigation, secure its network, and determine whether any sensitive data had been exposed or stolen in the incident. Unauthorized access to computer systems was confirmed; however, it took until January 27, 2026, to determine that patient and employee data had been compromised in the incident. Information exposed or stolen included patient names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health insurance information, medical treatment information, and medical history information. The data breach has recently been added to the HHS’ Office for Civil Rights breach portal as affecting 5,073 individuals. Murray County Medical Center has implemented additional safeguards to prevent similar incidents in the future and is offering the affected individuals complimentary credit monitoring and identity theft protection services. Aligned Orthopedic Partners, Maryland ASC Ortho Management Company, LLC, which does business as Aligned Orthopedic Partners, has announced a data security incident involving its email platform. Suspicious activity was identified on December 8, 2025, and the investigation confirmed that an unknown actor accessed the platform between November 16, 2026, and December 16, 2026, during which time, personal and protected health information may have been viewed or acquired. The email system was reviewed, and on February 17, 2026, Aligned Orthopedic Partners confirmed that the exposed data included names, dates of birth, Social Security numbers, driver’s license or state identification numbers, Medicaid or Medicare numbers, financial account numbers, medical dates of service, medical provider names, mental or physical condition, medical treatment information, diagnosis or clinical information, prescription information, health insurance information, patient account numbers, and medical record numbers. Notification letters were mailed to the affected individuals on April 17, 2026, and complimentary identity protection services have been offered. Steps have been taken to augment security to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.