Posted By Steve Alder on Apr 22, 2025
Hospital Español Auxilio Mutuo de Puerto Rico has issued an update on a security incident that was first announced last summer. In its April 21, 2025, breach notice, Hospital Español Auxilio Mutuo explained that a notification was received from the Department of Homeland Security on September 23, 2023, that a cybercriminal group had likely targeted the hospital. An investigation was launched, and on November 21, 2023, evidence was found that was consistent with unauthorized network access, although it was not possible to determine if there had been any unauthorized data access or theft of information from its network.
A second investigation was conducted, and on May 15, 2024, evidence of unauthorized activity was identified consistent with data exfiltration from systems that contained patient data. On September 24, 2024, a team of internal and external IT experts concluded that the breach was limited to patients who visited the hospital between August 2022 and September 2023. The hospital was unable to determine the exact types of compromised information for individual patients. Potentially, the stolen data included names in addition to some or all of the following:
- Contact information (first and last name, address, date of birth, phone number, and email address)
- Health information (medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment information)
- Health insurance information (primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers)
- Billing, claims, and payment information (claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due)
- Other personal information (Social Security numbers, driver’s licenses or state ID numbers, or passport numbers)
Hospital Español Auxilio Mutuo has taken steps to improve network security to prevent similar incidents in the future. Individual notification letters are now being mailed to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services.
The data breach was reported to the HHS’ Office for Civil Rights on July 13, 2025, using a placeholder figure of 500 affected individuals, as at the time it was unclear how many individuals had been affected. The total has yet to be updated.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com
