3 min read

Mission Community Hospital settles 2023 RansomHouse breach for $1.55M

Picture of Farah Amod Farah Amod June 11, 2026

Healthcare cybersecurity news
hacker with profile icons

A San Fernando Valley hospital has agreed to pay nearly $1.55 million over a 2023 attack in which RansomHouse exfiltrated 2.5 terabytes of patient data and published portions of it publicly after negotiations failed.

 

What happened

Deanco Healthcare, operator of Mission Community Hospital in Panorama City, California, has agreed to a $1,546,409 class action settlement over a ransomware attack discovered on May 1, 2023. According to ClassAction.org, the settlement received preliminary court approval on March 9, 2026, and covers approximately 269,847 individuals whose information was exposed. Compromised data includes names, addresses, dates of birth, Social Security numbers, driver's license numbers, financial account information, health insurance plan member IDs, claims data, and clinical information. Two class action lawsuits filed in Los Angeles Superior Court were consolidated into Concepcion et al. v. Deanco Healthcare. Deanco denies all allegations of wrongdoing but agreed to settle to avoid the cost and uncertainty of a trial. The claims deadline is August 12, 2026, and the final approval hearing is scheduled for September 9, 2026.

 

Going deeper

According to DataBreaches.net, the hospital discovered the breach while investigating a May 1 network switch failure, which turned out to be related to the intrusion. RansomHouse exploited vulnerabilities in Paragon and Cisco systems to gain access. The group does not encrypt files; it exfiltrates data and demands payment in exchange for not publishing or selling it. RansomHouse claimed 2.5 terabytes of stolen data, listed Mission Community on its leak site, and began leaking portions of the stolen data publicly by early June 2023 after negotiations broke down. Notification letters went to affected individuals in November 2023, roughly six months after the attack.

 

What was said

In its breach notification to the California Attorney General's Office, Mission Community Hospital informed patients that "while in our IT network, the unauthorized party accessed files containing patient information" and that the investigation "cannot rule out the possibility that files containing some of your information may have been subject to unauthorized access." RansomHouse posted on its leak site: "Dear Mission Community Hospital Management, We strongly recommend you contact us to prevent your confidential data or research data from being leaked or sold to a third party," according to Becker's Hospital Review.

 

In the know

RansomHouse operates differently from most ransomware groups. Rather than deploying encryption, the group focuses entirely on data exfiltration, demanding payment solely to prevent publication or sale of stolen files. According to DataBreaches.net, the group's leak site listing for Mission Community remained active without a resolution message, suggesting the hospital declined to pay and accepted the data publication risk. The model makes recovery easier operationally; systems remain functional, but it eliminates the possibility of keeping a breach quiet, since publication is the group's primary advantage mechanism.

 

The big picture

A three-year gap between the May 2023 attack and the 2026 settlement shows the extended litigation cycle that now follows virtually every healthcare data breach of this size. The hospital contained the attack quickly, but 269,847 patients had their most sensitive identifiers exposed, notification did not go out for six months, and the legal proceedings ran for nearly three years before resolution. The $1.55 million settlement will cover attorney fees of roughly $591,000, administration costs up to $235,400, and whatever remains goes to class members on a pro rata basis, meaning individual payments are likely to be modest. For a community hospital in the San Fernando Valley serving a predominantly working-class population, the reputational and financial toll extends well beyond the settlement figure itself. According to Paubox's Small Healthcare Practices report, smaller healthcare organizations frequently lack the dedicated security staffing and monitoring infrastructure that would catch an intrusion at the network level before data exfiltration is complete.

 

FAQs

How does RansomHouse differ from conventional ransomware groups?

RansomHouse does not encrypt files. Its advantage comes entirely from data exfiltration and the threat of publication or sale. Organizations retain operational access to their systems but face the same notification obligations and litigation exposure as any other breach, without the option of paying for a decryption key to limit damage.

 

Why did the notification take six months after a breach was detected on the first day?

Even when an intrusion is detected quickly, determining which specific files were accessed and which individuals were affected requires a forensic review of potentially large volumes of data. The six-month gap between the May 2023 detection and November 2023 notifications is consistent with the timeline for reviewing 2.5 terabytes of exfiltrated data, though HIPAA's 60-day notification requirement runs from the date of discovery rather than the conclusion of the review.

 

What does the pro rata payment structure mean for individual class members?

After attorney fees, administration costs, and service awards are deducted from the $1.55 million fund, the remaining amount is divided among all class members who submit valid claims. The more claims filed, the smaller each individual payment. California residents receive an additional $100 statutory payment regardless of claim volume.

 

What vulnerabilities did RansomHouse exploit at Mission Community Hospital?

DataBreaches.net reported that RansomHouse exploited vulnerabilities in the hospital's Paragon and Cisco systems to gain access. The attack vector shows the risk posed by unpatched vulnerabilities in clinical and network infrastructure, consistent with OCR's 2024 congressional report finding that insufficient patching and weak authentication were among the most common factors in investigated healthcare breaches.

 

How should hospitals handle public leak site listings by data extortion groups?

When a group publishes a victim on a dark web leak site, the organization should treat it as confirmation of exfiltration and assess its breach notification obligations immediately, regardless of whether negotiations are ongoing. Waiting for negotiations to conclude before beginning the notification assessment risks violating HIPAA's 60-day clock and compounds legal exposure if the data is subsequently published.

 
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
stethoscope on money

Consulting Radiologists agrees to $2.2M settlement after data breach

Picture of Farah Amod Farah Amod : January 30, 2026

The Minnesota radiology group is resolving litigation tied to a 2024 network intrusion affecting hundreds of thousands of patients.

Healthcare cybersecurity news
Read More
kettering health logo

Kettering Health ransomware hit 1.7M, confirmed year after Interlock breach

Picture of Farah Amod Farah Amod : April 28, 2026

The HHS Office for Civil Rights breach portal has been updated to show that the May 2025 ransomware attack on the Ohio health system exposed...

Healthcare cybersecurity news
Read More
Image of a lock on a laptop.

Woodfords Family Services discloses breach nearly two years after

Picture of Farah Amod Farah Amod : April 15, 2026

A Maine nonprofit serving people with disabilities is notifying more than 8,000 individuals of a ransomware attack that occurred in April 2024,...

Healthcare cybersecurity news
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.