Full Report
Juan F. Luis Hospital CEO Darlene A. Baptiste says no personal data was stolen in the April cyberattack that forced the hospital offline for months, causing major billing delays, financial losses, and a massive system rebuild now nearly complete. Ernice Gilbert reports: The April cyberattack that crippled the Juan F. Luis Hospital’s electronic systems cost the facility... Source
Analysis Summary
# Incident Report: Juan F. Luis Hospital System Disruption
## Executive Summary
Juan F. Luis Hospital (JFL) suffered a significant cyberattack in April 2025 that crippled its electronic systems, forcing a near five-month operational shutdown of billing and forcing a complete IT infrastructure rebuild. While the attack caused substantial financial losses—estimated at up to $800,000 weekly due to delayed cash flow—the CEO confirmed that no patient or staff sensitive data was compromised.
## Incident Details
- **Discovery Date:** On or shortly after the attack date, April 26, 2025.
- **Incident Date:** April 26, 2025
- **Affected Organization:** Juan F. Luis Hospital (JFL)
- **Sector:** Healthcare
- **Geography:** U.S. Territories (Implied: Virgin Islands)
## Timeline of Events
### Initial Access
- **Date/Time:** April 26, 2025
- **Vector:** Exploitation of an overlooked vulnerability on two local servers (described metaphorically as an unprotected "doggy door").
- **Details:** Attackers gained entry by exploiting a security gap that the existing perimeter defenses (firewalls, etc.) failed to cover.
### Lateral Movement
- **Details:** The article does not specify techniques used for internal network movement, but the impact suggests the attackers achieved significant control to disable electronic systems.
### Data Exfiltration/Impact
- **Details:** The primary impact was operational disruption. Electronic billing ceased immediately, forcing a reversion to manual paper billing. The system outage lasted nearly five months, causing massive cash flow delays. **Crucially, the CEO stated no patient or staff data was exfiltrated or stolen.**
### Detection & Response
- **How it was discovered:** The attack was discovered when electronic systems were rendered inoperable, forcing manual processes.
- **Response actions taken:** The hospital reverted to manual operations, began a process of submitting paper bills, and initiated a complete rebuild of its technology infrastructure, which was described as nearly complete at the time of the report (October 2025).
## Attack Methodology
- **Initial Access:** Exploitation of an "overlooked vulnerability" on two local servers.
- **Persistence:** Not explicitly detailed, but sufficient to maintain control long enough to disrupt core services for months.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Achieved by exploiting a gap in perimeter security controls ("doggy door").
- **Credential Access:** Not specified.
- **Discovery:** Not specified.
- **Lateral Movement:** Not specified.
- **Collection:** Not specified, as the primary impact was denial of service/operational shutdown rather than data theft.
- **Exfiltration:** No evidence of data exfiltration was reported.
- **Impact:** Operational disruption, forcing months of manual workarounds and significant financial loss due to inability to electronically bill.
## Impact Assessment
- **Financial:** Estimated loss/delayed cash flow of $750,000 to $800,000 per week for nearly five months.
- **Data Breach:** **None.** CEO explicitly stated no patient or staff data was compromised.
- **Operational:** Severe disruption, forcing a reversion to manual paper billing and necessitating a complete rebuild of the technology infrastructure over five months.
- **Reputational:** Moderate, involving a public disclosure during a town hall, but mitigated by the confirmation of no data loss.
## Indicators of Compromise
*(Note: Due to the nature of the high-level report, specific IOCs were not provided. Indicators would typically focus on the compromised service/server access.)*
- **Network indicators:** Access attempts or activity originating from systems connected to the two local servers that were breached.
- **File indicators:** None documented.
- **Behavioral indicators:** System-wide failure of electronic processes requiring massive manual intervention.
## Response Actions
- **Containment measures:** Not detailed, but implied immediate isolation of the compromised local servers.
- **Eradication steps:** Complete rebuild of the technology infrastructure.
- **Recovery actions:** Reverting from manual operations to the newly rebuilt systems.
## Lessons Learned
- **Key takeaways:** Reliance on perimeter defenses alone is insufficient; internal/non-standard paths (the "doggy door") must be thoroughly secured and monitored.
- **What could have been done better:** The vulnerability that led to initial access could have been identified and remediated prior to the incident.
## Recommendations
- Conduct comprehensive vulnerability scanning and penetration testing that specifically targets non-standard access vectors ("doggy doors") beyond typical firewall configurations.
- Review and enhance security monitoring around local, potentially less protected, servers.
- Implement offline or robust manual fallback contingency plans for critical revenue/billing systems to minimize cash flow impacts during downtime.