Hospital Caribbean Medical Center in Fajardo, Puerto Rico has disclosed a ransomware attack affecting up to 92,000 individuals, with the threat actor known as The Gentlemen claiming responsibility and adding the hospital to its dark web leak site. The incident, confirmed via a hospital press release on February 8, 2026, and listed on the HHS Office for Civil Rights breach portal, is one of three healthcare breaches disclosed in the same window alongside incidents at Murray County Medical Center and Aligned Orthopedic Partners.

What Happened

Hospital Caribbean Medical Center issued a press release on February 8, 2026, disclosing a cyberattack targeting its information systems. The hospital declined to explicitly classify the intrusion as ransomware or detail the specific data categories exposed. On February 17, 2026, the threat actor group known as The Gentlemen publicly claimed responsibility by listing the hospital on its dark web leak site, threatening to publish stolen patient data unless a ransom was paid. The HHS Office for Civil Rights breach portal lists the incident as affecting up to 92,000 individuals, making it the most significant of three healthcare breaches disclosed in this reporting cycle.

The two parallel incidents underscore a broader pattern of sustained pressure on US healthcare providers. Murray County Medical Center in Slayton, Minnesota first detected suspicious IT activity on August 21, 2025, but did not confirm patient and employee data compromise until January 27, 2026, a gap of more than five months. Aligned Orthopedic Partners in Maryland reported an unauthorized actor accessing its email platform between November 16 and December 16, 2025, with suspicious activity first flagged on December 8.

What Was Taken

Hospital Caribbean Medical Center has not publicly itemized the data categories exposed in the attack, though The Gentlemen's leak-site posting indicates patient records are in the threat actor's possession. The breach affects up to 92,000 individuals according to HHS filings.

Data exposed across the related disclosures includes:

• Full names
• Dates of birth
• Social Security numbers
• Driver's license numbers
• Health insurance information
• Medical treatment details
• Medical history records

Murray County Medical Center confirmed 5,073 individuals were affected in its incident, with the above data types exposed. Aligned Orthopedic Partners identified compromised data as among the most extensive in scope of the three disclosures.

Why It Matters

Healthcare continues to be one of the most heavily targeted verticals for ransomware operators, and The Gentlemen's claim against a Puerto Rico hospital demonstrates that US territories and smaller regional providers are squarely in scope. Double-extortion tactics, where attackers exfiltrate data before encryption and threaten public release, convert every breach into a privacy disaster even when backups restore operations.

The disclosure timelines across these three incidents are also telling. Murray County Medical Center's five-month gap between intrusion detection and confirmed data compromise highlights how difficult attribution and scope determination remain for smaller healthcare IT teams. For defenders, the 92,000-record scale of the Fajardo incident signals that regional hospitals face threat actor capabilities comparable to those aimed at large hospital systems.

The Attack Technique

Neither Hospital Caribbean Medical Center nor the reporting source has disclosed the initial access vector used by The Gentlemen. The group's modus operandi, based on its leak-site behavior, aligns with typical double-extortion ransomware operations: intrusion, lateral movement, data exfiltration, encryption, and public naming on a dark web leak site to pressure payment.

The related Aligned Orthopedic Partners incident involved unauthorized access to the organization's email platform over a 30-day window, a pattern consistent with business email compromise (BEC) or credential-theft-based intrusions. Email platform compromises of this duration commonly follow phishing, credential stuffing, or the abuse of legacy authentication protocols lacking modern MFA enforcement.

What Organizations Should Do

Healthcare organizations, particularly regional hospitals and specialty clinics, should prioritize the following defensive measures:

1. Enforce phishing-resistant MFA across all email, VPN, and remote administration interfaces, and disable legacy authentication protocols that bypass modern access controls.
2. Segment clinical and administrative networks to limit lateral movement from initial-access footholds to patient record systems, and isolate backup infrastructure from primary domain credentials.
3. Deploy and tune EDR/XDR with 24/7 monitoring, paying particular attention to data-exfiltration indicators such as unusual outbound traffic volume, cloud-storage uploads, and archive-and-stage activity.
4. Test incident response and breach notification processes against double-extortion scenarios, including decision trees for ransom communications, legal notification timelines, and leak-site monitoring.
5. Monitor dark web leak sites including those operated by The Gentlemen and similar emerging groups, to detect disclosure of organizational data before public claims are made.
6. Audit third-party and vendor access to clinical systems, email tenants, and data repositories, as many healthcare breaches originate through trusted-partner or supply-chain compromise.

Sources: Ransomware Attack on Hospital Caribbean Medical Center Among Three Healthcare Breaches Affecting Patient Data