What happened
Three US healthcare organizations have disclosed data breaches affecting patient and employee information, with the most significant involving a ransomware attack on Hospital Caribbean Medical Center in Fajardo, Puerto Rico.
The Puerto Rico hospital issued a press release on February 8, 2026, disclosing a cyberattack that targeted its information systems. The incident is listed on the HHS Office for Civil Rights breach portal as affecting up to 92,000 individuals. The hospital did not specify what types of data were exposed or confirm the ransomware classification, but a group called The Gentlemen claimed responsibility on February 17, adding the hospital to its dark web leak site and threatening to publish stolen patient data if a ransom was not paid.
Murray County Medical Center in Slayton, Minnesota disclosed in early March 2026 that suspicious activity was detected in its IT systems on August 21, 2025. It took until January 27, 2026, to confirm that patient and employee data had been compromised. Exposed information includes names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical treatment details, and medical history. The breach affects 5,073 individuals.
Aligned Orthopedic Partners in Maryland disclosed that an unknown actor accessed its email platform between November 16 and December 16, 2025, with suspicious activity identified on December 8. The compromised data is among the most extensive of the three incidents, spanning names, dates of birth, Social Security numbers, Medicaid and Medicare numbers, financial account numbers, mental and physical condition information, prescription details, diagnosis and clinical information, and medical record numbers. Notification letters were mailed on April 17, 2026. The number of affected individuals has not yet appeared on the HHS breach portal.
Who is affected
Patients and employees across all three organizations face exposure of sensitive personal and health information. The Aligned Orthopedic Partners breach is particularly broad in scope given the range of data categories confirmed as compromised, including financial account numbers and mental health information. The 92,000 figure for Hospital Caribbean Medical Center represents a significant portion of the population in the Fajardo region of Puerto Rico.
Why CISOs should care
The Murray County Medical Center timeline is worth examining closely. Suspicious activity was detected in August 2025, but it took until late January 2026, five months, to confirm that data had actually been compromised. That dwell time and investigation gap is not unusual in healthcare, but it directly affects notification timelines, regulatory exposure, and the window during which affected individuals have no way to protect themselves.
The Aligned Orthopedic Partners breach also illustrates a recurring pattern: email platform compromises in healthcare consistently yield some of the broadest data exposures, because clinical staff use email to share exactly the kind of sensitive, multi-category patient information that makes healthcare breaches so damaging.
3 practical actions
- Compress investigation-to-confirmation timelines with better forensic readiness: A five-month gap between detection and confirmed data compromise is a significant liability. Investing in forensic tooling, retained incident response relationships, and log retention policies that support faster investigation will reduce both regulatory risk and patient harm.
- Restrict clinical data sharing through email: Email remains one of the most common breach vectors in healthcare precisely because it carries so much sensitive information. Review what categories of patient data are routinely shared via email and whether alternative secure messaging or clinical communication platforms can reduce that exposure.
- Monitor ransomware leak sites for listings involving your organization or partners: Hospital Caribbean Medical Center’s listing appeared nine days after the hospital’s own press release. Proactive monitoring of leak sites can provide earlier warning and more time to assess the credibility of theft claims before they become public.
Other healthcare data breaches in the news: