There Was a Ghost in Your Network - 17 Million Records Gone From Three Hospitals

"Be informed, there was a Ghost in your network! But don't get spooked, ghost is friendly."

That's what the fax said. A fax - sent by the attackers themselves to PIH Health after they'd already stolen 2 terabytes of data from three Southern California hospitals. 17 million patient records. 8.1 million medical episodes. And then they had the audacity to send a friendly note about it. When the threat actors are taunting you by fax, you've lost control of the situation in ways that go beyond IT.

On December 1, 2024, a ransomware crew hit PIH Health's network and took down Downey Hospital, Good Samaritan Hospital, and Whittier Hospital - plus their urgent care centers, physician offices, and home health services. The attackers claimed they wanted to negotiate. PIH Health's 3 million patients across Los Angeles and Orange counties became bargaining chips.

If the 17 million figure holds, this is the second-largest healthcare breach of 2024. Let that number sit for a second. Second largest. In a year already full of catastrophic healthcare breaches.

What the Attack Looked Like From the Inside

When ransomware hits a hospital, you don't just lose files. You lose the ability to function as a hospital. At PIH Health, the damage was immediate and cascading.

Phone systems went down. Electronic prescriptions stopped working - pharmacies switched to cash-only because they couldn't process insurance. Online appointment scheduling disappeared. Lab orders and radiology requests reverted to paper. Test results couldn't be accessed electronically. Some surgeries were cancelled outright.

Emergency rooms and urgent care stayed open, running on downtime procedures - the analog fallback that every hospital hopes it never has to use for more than a few hours. PIH Health was on downtime procedures for weeks.

I've said it before: when you attack a hospital, you're not just encrypting data. You're disrupting care. Every cancelled surgery, every delayed test result, every patient who couldn't get their prescription filled - that's the real damage. The data theft is the leverage. The operational disruption is the weapon.

How Attackers Think About Hospital Networks

Here's what an attacker sees when they look at a multi-hospital health system like PIH Health. They see a large, interconnected network - multiple facilities sharing EHR systems, lab information systems, radiology platforms, and administrative tools. Compromise one node and you've got a pathway to everything.

They see a target that cannot tolerate downtime. Hospitals don't get to say "we'll be back up next week." Every hour of downtime is a care delivery crisis. That urgency is leverage.

They see high-value data - not just names and Social Security numbers, but medical histories, insurance details, treatment records. Healthcare data sells for more on the dark web than financial data because it's harder to change. You can get a new credit card. You can't get a new medical history.

And they see an organization that will face massive regulatory consequences for a breach. HIPAA notification requirements. OCR investigations. State attorney general scrutiny. Class action lawsuits - which have already been filed against PIH Health.

All of that pressure pushes toward one outcome: pay the ransom. The attackers know this. The fax wasn't just arrogance. It was a calculated negotiation tactic.

The Fax Tells You Everything

"If you're not going to cooperate and make a deal, all your confidential files will be published."

This is double extortion - encrypt the systems and steal the data, then threaten to publish if the victim doesn't pay. It's been the standard ransomware playbook for years, and healthcare is the perfect target because the data is both operationally critical and deeply sensitive.

The attackers sending physical faxes is a detail worth pausing on. It means they understood PIH Health's communication channels. It means they wanted to make sure the message got through even with IT systems down. And it means they wanted to create a paper trail that could leak to the media - which it did, via the LA Daily News.

This is social engineering at the organizational level. The technical attack gets you in. The psychological pressure gets you paid.

What Went Wrong

We don't have the full forensic picture yet. PIH Health is working with cyber forensic specialists and cooperating with the FBI. But based on what we know, a few things are clear.

The attackers had enough time in the network to exfiltrate 2 terabytes of data before deploying ransomware. That's not a smash-and-grab. That's a sustained presence - days or weeks of lateral movement, discovery, and data staging. Somewhere in that timeline, there were detection opportunities that were missed.

The attack hit multiple facilities simultaneously. That suggests the attacker had broad network access, likely through shared infrastructure - a common Active Directory environment, shared administrative credentials, or a centralized management system that became a single point of compromise.

And the operational impact was total. Phone systems, clinical applications, scheduling, pharmacy - everything went down. That level of disruption suggests insufficient network segmentation. If the clinical systems, phone systems, and administrative systems are all reachable from the same compromised network segment, one breach takes everything offline.

The Playbook That Would Have Changed This

The gap that matters most here is the one between initial access and ransomware deployment. The attackers were inside the network long enough to find, collect, and exfiltrate 2 terabytes of data. That's the window where detection and response should have kicked in.

SecUnit's agents are designed to collapse that window. Our offensive validation agent maps the same lateral movement paths an attacker would use - shared credentials, overprivileged service accounts, flat network segments that let you pivot from a compromised workstation to an EHR database. It finds those paths before the attacker does.

Our investigation agent watches for the telltale signs of data staging and exfiltration - unusual file access patterns, bulk data movement to staging directories, outbound transfers to unfamiliar endpoints. When 2 terabytes starts moving through your network, there should be an alarm going off. Not two weeks later in a forensic report.

And our remediation agent isolates the compromised segment without taking clinical systems offline. That's the piece that manual incident response can't deliver fast enough - by the time a human analyst triages the alert, correlates the indicators, and decides to pull the network cable, the attacker has already moved.

PIH Health's 3 million patients are now waiting to find out what was in those 17 million records. The lawsuits are already filed. The fax is already in the news. The ghost was in the network for a long time before anyone noticed. Talk to us before you get a fax like that.