PIH Health Notifies Patients About 2024 Hacking Incident
PIH Health, a healthcare provider serving patients in Orange County and the San Gabriel Valley in California, has started notifying patients affected by a December 2024 ransomware attack. The attack disrupted systems used by Downey Hospital, Good Samaritan Hospital, Whittier Hospital, as well as urgent care clinics, home health, hospice services, and physicians’ offices.
The ransomware attack was detected on December 1, 2024, and the forensic investigation confirmed that the threat actor had access to its network between November 14, 2024, and December 23, 2024. As detailed in our December 16, 2024, coverage below, the threat actor claimed to have exfiltrated around 2 terabytes of data in the attack, and claimed the data included around 17 million patient records. A ransom demand was issued, and some of the stolen data was leaked online. PIH Health learned of the hacker’s claims but said at the time that it was unable to verify the authenticity of the ransom note or the data theft claims.
PIH Health has been reviewing the exposed data with the help of third-party specialists, and on or around December 16, 2025, more than a year after the attack was detected, PIH Health confirmed that patient information was present in files on the compromised parts of its network, and the files may have been accessed or acquired by the threat actor.
PIH Health said its detailed review of the affected data was time-intensive, hence the time taken to complete the review. After obtaining the full list of affected individuals in December 2025, PIH Health worked to gather contact information to allow notification letters to be mailed. That process was completed on February 25, 2026, and individuals affected by the breach are now learning that their data was compromised in the attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
PIH Health said the types of data involved vary from individual to individual and, at the time of issuing notification letters, no evidence has been found of any misuse or attempted misuse of the affected information. The breach included personally identifiable information and protected health information such as names, addresses, medical information, health insurance information, Social Security numbers, taxpayer identification numbers, driver’s license numbers, financial account information, and credit/debit card numbers. PIH Health has offered the affected individuals complimentary credit monitoring and identity theft protection services, and has taken steps to minimize the risk of similar incidents occurring in the future.
What has yet to be confirmed is the scale of the data breach. While there has been a claim that 17 million records were stolen, that claim may have been exaggerated, and if the claim is correct, those records may not relate to unique patients. The data breach is not yet showing on the HHS’ Office for Civil Rights website, and the California Attorney General does not publish details about the scale of a data breach. Most of the affected individuals are likely to reside in California, but we have confirmed that the Texas Attorney General has been notified that 8,434 Texas residents were affected.
Last year, the HHS’ Office for Civil Rights announced that it had agreed to a $600,000 settlement with PIH Health to resolve potential HIPAA violations related to a 2020 phishing attack that affected 189,763 individuals. OCR determined that the HIPAA Security Rule had been violated as PIH Health failed to conduct a comprehensive and accurate risk analysis, as well as the HIPAA Breach Notification Rule, as PIH Health failed to issue timely notifications to OCR, the affected individuals, and the media.
December 16, 2024: Hackers Claim to Have Stolen 17 Million Patient Records from PIH Health
The hacking group behind the cyberattack on the Californian healthcare provider PIH Health on December 1, 2024, claims to have exfiltrated a huge amount of sensitive data before encrypting files. If the hackers are to be believed, they exfiltrated 17 million patient records.
Southern California News Group obtained a copy of a ransom note that had allegedly been faxed to PIH Health. The hackers claimed to have exfiltrated around 2 terabytes of sensitive data in the attack. The note states that the stolen data includes 17 million patient records, data for more than 8.1 million “medical episodes” that include patients’ home addresses, cancer patients’ treatment records, private emails including test results and treatments, confidentiality agreements with employees, and around 100 active nondisclosure agreements between PIH Health and other medical organizations. The hackers also provided a link where screenshots of the stolen data had been uploaded.
Southern California News Group said no hacking group had claimed responsibility for the attack. PIH Health was unable to verify the authenticity of the ransom note or the data theft claims. The PIH website notice states, “PIH Health is working with cyber forensic specialists to assess the issue. Impacted individuals will be notified if protected health information is found to be compromised.”
Multiple systems were taken offline as a result of the incident, and phone lines were also disrupted. The phone system used by PIH Health’s Good Samaritan Hospital in Los Angeles was unaffected, and lines from its Whittier and Downey hospitals have been rerouted there. While the attack has caused major disruption to its computer systems, staff are working on downtime procedures, and care continues to be provided to patients, with patient data recorded manually; however, staff members are struggling with the additional workload that this creates, and delays are being experienced by patients.
PIH Health updated its website FAQ about the incident on December 13, 2024, but was still not able to provide a timeline on when its systems are likely to be restored. PIH Health said local police departments have been notified, and the Federal Bureau of Investigation (FBI) has been engaged and is involved in the criminal investigation. PIH Health said it is doing everything possible to rectify the situation.
Hackers have been known to exaggerate the extent of data theft, and even if 17 million records were stolen, there may be duplicate records in the dataset. If it turns out that 17 million current and former patients have been affected, this would be the second-largest data breach of the year, behind the 100-million-record data breach at Change Healthcare in February.
