Active breach tracker Fajardo, Puerto Rico Disclosed April 6, 2026

Hospital Caribbean Medical Center Breach 2026 (The Gentlemen Ransomware): 92,000 Puerto Rico Patients Exposed. 577 GB Exfiltrated. What To Do

Hospital Caribbean Medical Center in Fajardo, Puerto Rico disclosed in February 2026 a ransomware attack by The Gentlemen group that exfiltrated approximately 577 GB of patient and operational data. 92,000 individuals affected. Initial Spanish-language press release did not offer credit monitoring. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 5, 2026

Hospital monitoring systems detect suspicious activity

Feb 5, 2026

Attacker gained access

Feb 8, 2026

Public Spanish-language press release issued

Feb 17, 2026

The Gentlemen lists hospital on leak site (~577 GB claimed)

Apr 6, 2026

Filed with HHS OCR (92,000 affected)

Apr 21, 2026

Individual notification letters mailed

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license / government ID

02

Health records

Don't expire and can't be reissued

Medical treatment and history

03

Contact & insurance

Phishing + targeted scams

Full name Home address Health insurance information Financial information (per secondary reporting)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Hospital Caribbean Medical Center is an independent community hospital in Fajardo, Puerto Rico, on the island’s east coast. It operates approximately 45 beds (some sources cite 25 beds plus a 4-bed ICU) and serves the Fajardo metro area and surrounding eastern PR municipalities. It is not part of a larger named hospital system.

In early February 2026, the hospital’s monitoring systems detected suspicious activity inside its network. The hospital engaged outside incident-response personnel, contained the activity, and on February 8, 2026 issued a Spanish-language press release stating that the cyberattack had been contained and operations were back to normal.

On February 17, 2026, the The Gentlemen ransomware group listed the hospital on its dark-web leak site, claiming approximately 577 GB of exfiltrated data and threatening to publish unless payment was received within roughly 9 to 10 days. The hospital has not publicly stated whether it engaged with the group or paid any ransom.

On April 6, 2026, Hospital Caribbean filed with the US Department of Health and Human Services Office for Civil Rights, confirming 92,000 affected individuals. Individual notification letters were reportedly mailed around April 21, 2026.

What was stolen

The hospital’s Spanish-language press release did not itemize specific data categories. Secondary reporting (HIPAA Journal, Comparitech) describes the exposed data as including:

  • Full name
  • Date of birth
  • Home address
  • Social Security number
  • Driver’s license / government ID
  • Health insurance information
  • Medical treatment and history
  • Financial information

The 577 GB volume claimed by The Gentlemen suggests a substantial dataset that likely includes operational and clinical files beyond the per-patient identifiers above. Hospital operational data and billing systems are typical in this volume of exfiltration.

What Hospital Caribbean Medical Center is offering

The initial press release did not offer credit monitoring, identity-theft protection, or a dedicated call center. Whether the April 21 individual notification letters added complimentary monitoring is not visible in public reporting as of mid-May 2026. Hospital main line: 787-801-0081.

The absence of an English-language substitute notice on the hospital’s website complicates response for affected individuals who do not read Spanish. The press-release PDF on the hospital’s homepage is the only first-party document publicly available.

What to do if you received a notification letter

This week:

  1. Place a free credit freeze at Equifax, Experian, and TransUnion. The full SSN exposure makes this essential, especially given the hospital does not appear to be offering monitoring.
  2. Pull a free credit report at annualcreditreport.com.
  3. File IRS Form 14039 to prevent fraudulent tax-return filings under your SSN.
  4. Consider purchasing your own credit monitoring since none is publicly offered. The 577 GB exfiltration volume and confirmed publication threat from The Gentlemen suggests the data is in the wild.
  5. Watch your insurance Explanation of Benefits for unfamiliar claims.

This month:

  1. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests, FTC HBNR deletion requests, and state-law deletion requests so the demographic and medical data exposed in this breach is not continuously re-shared by data brokers and downstream entities.
  2. If you are a Puerto Rico resident: Law 111-2005 (Information Security Act) provides additional notification and protection rights beyond federal HIPAA. The Puerto Rico Department of Consumer Affairs (DACO) is the consumer-protection regulator.

Frequently asked questions

Was my data published?

The Gentlemen group claimed 577 GB and threatened publication. Whether the full dataset has been published is not confirmed in public reporting. The group’s pattern is to publish when payment is not received.

Should I sue?

No data-breach class action has been filed against Hospital Caribbean Medical Center as of mid-May 2026. A separate unrelated medical-malpractice case exists in the District of Puerto Rico but it is not connected to this breach. We are not a law firm and cannot give legal advice.

Is HealthConsent affiliated with Hospital Caribbean Medical Center?

No. HealthConsent is an independent health-data privacy service.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.