Full Report
On December 8, 2024, DataBreaches reported that Watsonville Community Hospital in California was continuing to respond to what they referred to as a cyberattack on November 29. No gang had claimed responsibility at that point, patients hadn’t been notified yet, and the hospital wasn’t stating whether the attack involved encryption of any files. Weeks later,... Source
Analysis Summary
# Incident Report: Multiple Suspected Data Breaches at Watsonville Community Hospital
## Executive Summary
Watsonville Community Hospital (WCH) experienced at least one, and potentially two, significant data security events between November 2024 and August 2025, resulting in the exposure of sensitive patient and personnel data. The first incident, occurring in November 2024, was initially described as a cyberattack, leading to data access claimed by the 'Termite' group. A second potential incident in August 2025 involved data encryption and exfiltration claimed by the 'Sinobi' group. The hospital has provided inconsistent or incomplete public disclosures, leading to confusion about the scope and necessitating ongoing investigation.
## Incident Details
- **Discovery Date:** Prior to December 8, 2024 (First incident reported)
- **Incident Date:** November 29, 2024 (First suspected date); August 9, 2025 (Second suspected date)
- **Affected Organization:** Watsonville Community Hospital (Legal Name: Pajaro Valley Health Care District Hospital Corporation)
- **Sector:** Healthcare
- **Geography:** California, USA
## Timeline of Events
### Initial Access
- **Date/Time:** November 29, 2024 (First event)
- **Vector:** Cyberattack (Specific entry vector unknown)
- **Details:** Hospital began responding to a cyberattack. Later notice suggested patient data was accessed.
- **Date/Time:** August 9, 2025 (Second event, implied)
- **Vector:** Encryption event (Specific entry vector unknown)
- **Details:** Threat group 'Sinobi' claimed to have encrypted files and exfiltrated 13 GB of data.
### Lateral Movement
- Details are unconfirmed, but the presence of personnel and patient data from both incidents suggests established access within the network environments.
### Data Exfiltration/Impact
- **Termite (December 2024 claim):** Claimed personnel data and patient data.
- **Sinobi (July 2025 evidence):** Leaked data tranche included files dated March 2025, suggesting continued or renewed access between the two reported incidents.
- **Impact:** Compromise of PII (Name, DOB, SSN, Passport Number) and PHI (Diagnosis Information). Employees later reported becoming victims of tax refund fraud.
### Detection & Response
- **Detection:** Initial attack detected around November 29, 2024.
- **Response Actions:** Hospital filed reports with the FBI and "appropriate state and federal data privacy regulators." They issued a substitute notice on December 31, 2024. However, required public breach reporting to HHS or the California AG appears incomplete or missing as of October 2025.
## Attack Methodology
*Note: Specific MITRE ATT&CK techniques are not detailed in the source, thus inferred based on typical breach progression.*
- **Initial Access:** Unknown.
- **Persistence:** Implied, given the time gap between the November 2024 and August 2025 events, suggesting threat actors may have maintained access.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown, primarily evidenced by the threat actors’ ability to exfiltrate data over several months without public confirmation of remediation.
- **Credential Access:** Access to SSNs and Passport Numbers implies credential or identity data compromise.
- **Discovery:** Implied by the collection of disparate patient and employee data.
- **Lateral Movement:** Implied to access both systems containing PII/PHI for exfiltration.
- **Collection:** Personnel data and patient data (Name, DOB, SSN, Passport Number, Diagnosis Info).
- **Exfiltration:** Data was claimed by Termite and later leaked by Sinobi.
- **Impact:** Data exposure leading to potential identity theft (e.g., employee tax refund fraud).
## Impact Assessment
- **Financial:** Not disclosed; potential costs related to remediation, notification, and potential regulatory fines.
- **Data Breach:** Sensitive PII (SSN, Passport, DOB) and PHI (Diagnosis Information) potentially affected across two separate timelines.
- **Operational:** Disruption noted in late November 2024; prolonged uncertainty regarding data security post-breach.
- **Reputational:** Significant negative impact due to delayed or incomplete public notification and subsequent media reporting highlighting the lack of transparency.
## Indicators of Compromise
*Note: Specific IoCs are omitted or defanged per instructions. This section lists categories of indicators observed.*
- **Network indicators:** Communication channels used by 'Termite' group's leak site and 'Sinobi' group's leak site (URLs defanged).
- **File indicators:** Data tranches leaked by both threat actors, differing in content and overlap.
- **Behavioral indicators:** Unapproved access leading to data staging and encryption (August 2025 event).
## Response Actions
- **Containment:** Not explicitly detailed, but response efforts were ongoing as of December 31, 2024.
- **Eradication:** Unknown, given the subsequent activity claimed by the Sinobi group.
- **Recovery:** Unknown, though the hospital committed to notifying affected individuals if identified.
## Lessons Learned
- The hospital experienced severe transparency lapses, failing to confirm the nature of the event (ransomware vs. simple access) and delaying or omitting notifications required by state and federal regulators (HHS, CA AG).
- The potential existence of two separate incidents (Nov 2024 and Aug 2025) suggests persistent security weaknesses or incomplete remediation following the initial attack.
- Employees are suffering direct consequences (tax fraud) due to the breach timeline and notification delays.
## Recommendations
- Immediately conduct a comprehensive, transparent forensic investigation to definitively determine if one or two separate incidents occurred and what the full scope of PII/PHI compromise is.
- Issue comprehensive notifications to HHS and the California Attorney General, along with affected patients and employees, detailing findings for both potential timelines.
- Review and enhance network segmentation and access controls to prevent actors like Termite from potentially maintaining access or another group (Sinobi) gaining independent access.