PIH Health has begun notifying individuals whose personal and health information may have been accessed during a ransomware attack detected on December 1, 2024.
Incident Overview
PIH Health is a healthcare provider serving patients in Orange County and the San Gabriel Valley in California. The organization reported that a ransomware attack disrupted systems used by Downey Hospital, Good Samaritan Hospital, Whittier Hospital, urgent care clinics, home health services, hospice services, and physicians’ offices.
The organization detected the ransomware activity on December 1, 2024. A forensic investigation later determined that an unauthorized actor had access to the PIH Health network between November 14, 2024, and December 23, 2024.
The investigation confirmed that certain files stored on compromised portions of the network contained personal information and that the files may have been accessed or acquired without authorization.
Confirmation Of Data Exposure
On or about December 16, 2025, PIH Health confirmed that personal information was present in files identified on systems that had been accessed during the incident.
The organization conducted a detailed review of the affected data with assistance from third party experts. The review process required an extended period of time due to the volume of files and the need to determine which individuals were affected.
After identifying the affected individuals in December 2025, PIH Health worked to gather contact information in order to send notification letters. The mailing process for those notification letters was completed on February 25, 2026.
Types Of Information Affected
The types of information involved vary by individual. Information present in the affected files included personally identifiable information and protected health information (PHI). The data may include names, addresses, medical information, health insurance information, Social Security numbers, taxpayer ID numbers, driver’s license numbers, financial account information, and credit or debit card numbers.
At the time notification letters were issued in compliance with HIPAA laws, PIH Health reported that it had not identified evidence of misuse or attempted misuse of the affected information.
Claims Regarding the Scope of the Data Theft
The threat actor responsible for the attack claimed that approximately 2 terabytes of data were exfiltrated and that the dataset included about 17 million patient records. PIH Health reported that it was unable to verify the authenticity of the ransom note or the claims regarding the data theft.
The total number of affected individuals has not been confirmed. The reported figure of 17 million records may not correspond to unique patients.
Response Actions and Assistance To Individuals
PIH Health stated that it took measures to secure its systems after detecting the activity and initiated an investigation into the incident. The organization is providing complimentary credit monitoring services and identity theft protection services to the affected individuals. PIH Health also reported that it implemented actions intended to reduce the likelihood of similar incidents occurring in the future.
Operational Impact During The Incident
The ransomware attack caused operational disruption across multiple PIH Health systems. Computer systems and phone systems were affected. Staff implemented downtime procedures to continue giving patient care. They recorded patient information manually causing delays due to the additional workload created by the system outages.
Law Enforcement Involvement
Local police departments were notified about the incident. The Federal Bureau of Investigation was also engaged and involved in the criminal investigation related to the attack.
Image credit: Alek, Adobestock / logo©PIHHealth
