Hospital Caribbean Medical Center Breach 2026 (The Gentlemen Ransomware): 92,000 Puerto Rico Patients Exposed. 577 GB Exfiltrated. What To Do
Hospital Caribbean Medical Center in Fajardo, Puerto Rico disclosed in February 2026 a ransomware attack by The Gentlemen group that exfiltrated approximately 577 GB of patient and operational data. 92,000 individuals affected. Initial Spanish-language press release did not offer credit monitoring. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 5, 2026
Hospital monitoring systems detect suspicious activity
Feb 5, 2026
Attacker gained access
Feb 8, 2026
Public Spanish-language press release issued
Feb 17, 2026
The Gentlemen lists hospital on leak site (~577 GB claimed)
Apr 6, 2026
Filed with HHS OCR (92,000 affected)
Apr 21, 2026
Individual notification letters mailed
Feb 5, 2026
Hospital monitoring systems detect suspicious activity
Feb 5, 2026
Attacker gained access
Feb 8, 2026
Public Spanish-language press release issued
Feb 17, 2026
The Gentlemen lists hospital on leak site (~577 GB claimed)
Apr 6, 2026
Filed with HHS OCR (92,000 affected)
Apr 21, 2026
Individual notification letters mailed
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Hospital Caribbean Medical Center is an independent community hospital in Fajardo, Puerto Rico, on the island’s east coast. It operates approximately 45 beds (some sources cite 25 beds plus a 4-bed ICU) and serves the Fajardo metro area and surrounding eastern PR municipalities. It is not part of a larger named hospital system.
In early February 2026, the hospital’s monitoring systems detected suspicious activity inside its network. The hospital engaged outside incident-response personnel, contained the activity, and on February 8, 2026 issued a Spanish-language press release stating that the cyberattack had been contained and operations were back to normal.
On February 17, 2026, the The Gentlemen ransomware group listed the hospital on its dark-web leak site, claiming approximately 577 GB of exfiltrated data and threatening to publish unless payment was received within roughly 9 to 10 days. The hospital has not publicly stated whether it engaged with the group or paid any ransom.
On April 6, 2026, Hospital Caribbean filed with the US Department of Health and Human Services Office for Civil Rights, confirming 92,000 affected individuals. Individual notification letters were reportedly mailed around April 21, 2026.
What was stolen
The hospital’s Spanish-language press release did not itemize specific data categories. Secondary reporting (HIPAA Journal, Comparitech) describes the exposed data as including:
- Full name
- Date of birth
- Home address
- Social Security number
- Driver’s license / government ID
- Health insurance information
- Medical treatment and history
- Financial information
The 577 GB volume claimed by The Gentlemen suggests a substantial dataset that likely includes operational and clinical files beyond the per-patient identifiers above. Hospital operational data and billing systems are typical in this volume of exfiltration.
What Hospital Caribbean Medical Center is offering
The initial press release did not offer credit monitoring, identity-theft protection, or a dedicated call center. Whether the April 21 individual notification letters added complimentary monitoring is not visible in public reporting as of mid-May 2026. Hospital main line: 787-801-0081.
The absence of an English-language substitute notice on the hospital’s website complicates response for affected individuals who do not read Spanish. The press-release PDF on the hospital’s homepage is the only first-party document publicly available.
What to do if you received a notification letter
This week:
- Place a free credit freeze at Equifax, Experian, and TransUnion. The full SSN exposure makes this essential, especially given the hospital does not appear to be offering monitoring.
- Pull a free credit report at
annualcreditreport.com. - File IRS Form 14039 to prevent fraudulent tax-return filings under your SSN.
- Consider purchasing your own credit monitoring since none is publicly offered. The 577 GB exfiltration volume and confirmed publication threat from The Gentlemen suggests the data is in the wild.
- Watch your insurance Explanation of Benefits for unfamiliar claims.
This month:
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests, FTC HBNR deletion requests, and state-law deletion requests so the demographic and medical data exposed in this breach is not continuously re-shared by data brokers and downstream entities.
- If you are a Puerto Rico resident: Law 111-2005 (Information Security Act) provides additional notification and protection rights beyond federal HIPAA. The Puerto Rico Department of Consumer Affairs (DACO) is the consumer-protection regulator.
Frequently asked questions
Was my data published?
The Gentlemen group claimed 577 GB and threatened publication. Whether the full dataset has been published is not confirmed in public reporting. The group’s pattern is to publish when payment is not received.
Should I sue?
No data-breach class action has been filed against Hospital Caribbean Medical Center as of mid-May 2026. A separate unrelated medical-malpractice case exists in the District of Puerto Rico but it is not connected to this breach. We are not a law firm and cannot give legal advice.
Is HealthConsent affiliated with Hospital Caribbean Medical Center?
No. HealthConsent is an independent health-data privacy service.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Hospital Caribbean Medical Center: Press Release (Spanish)
- Hospital Caribbean Medical Center Homepage
- HIPAA Journal: Hospital Caribbean Medical Center Data Breach
- Comparitech: 92,000 People Notified
- Paubox: The Gentlemen Ransomware Group Claims PR Hospital Attack
- El Nuevo Día: Hospital Caribbean Contains Cyber Attack
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.