PIH Health begins notifying patients after 2024 ransomware attack exposed sensitive data

PIH Health, a California-based healthcare provider serving patients across Orange County and the San Gabriel Valley, has begun notifying individuals whose personal and medical information was exposed in a ransomware attack discovered in December 2024.

The cyberattack disrupted technology systems used by several PIH Health facilities, including Downey Hospital, Good Samaritan Hospital and Whittier Hospital, along with urgent care clinics, physicians’ offices, home health operations and hospice services across the network.

Security teams detected the intrusion on Dec. 1, 2024. A subsequent forensic investigation determined that an unauthorized actor had access to PIH Health’s network from Nov. 14, 2024, through Dec. 23, 2024. The attacker issued a ransom demand and some stolen data later appeared online.

PIH Health conducted a detailed review of systems affected by the intrusion with assistance from third-party cybersecurity specialists. On or around Dec. 16, 2025, the organization confirmed that files stored on compromised portions of its network contained patient information and that those files may have been accessed or obtained by the threat actor.

The review process required more than a year to complete due to the complexity and volume of the data involved. After compiling a complete list of affected individuals in December 2025, PIH Health gathered contact information so notification letters could be mailed. That effort concluded Feb. 25, 2026, and letters are now being sent to impacted individuals.

The information exposed in the breach varies by person. Compromised data includes personally identifiable information and protected health information such as names, addresses, medical information, health insurance details, Social Security numbers, taxpayer identification numbers, driver’s license numbers, financial account information and credit or debit card numbers.

At the time notification letters were issued, PIH Health stated that investigators had not identified evidence indicating misuse or attempted misuse of the exposed data.

The healthcare system is offering complimentary credit monitoring and identity theft protection services to affected individuals and has implemented additional security measures intended to reduce the risk of similar incidents in the future.

The total number of individuals affected has not been publicly confirmed. The attacker claimed to have exfiltrated approximately 2 terabytes of data and asserted that the dataset included around 17 million patient records. That figure remains unverified, and the records referenced may not correspond to unique individuals.

Regulatory filings indicate that at least 8,434 residents of Texas were affected by the incident. Most impacted individuals are believed to reside in California.

The breach does not yet appear on the federal breach portal maintained by the U.S. Department of Health and Human Services Office for Civil Rights, which tracks healthcare data incidents involving large numbers of individuals.