'The Gentlemen' ransomware group claims attack on Puerto Rico hospital

A 45-bed community hospital in Fajardo, Puerto Rico, is notifying 92,000 patients after a February ransomware attack was claimed by an emerging double-extortion group.

What happened

Hospital Caribbean Medical Center in Fajardo, Puerto Rico, has reported a data breach to the HHS Office for Civil Rights affecting 92,000 individuals following a ransomware attack detected in early February 2026. According to Comparitech, the hospital's monitoring systems identified suspicious activity, and staff activated containment and isolation protocols with the support of external cybersecurity experts. On February 17, nine days after the hospital's public announcement, a ransomware group called The Gentlemen posted the hospital's data to its dark web leak site, giving the organization around 10 days to respond before threatening to publish stolen data. The hospital has not confirmed whether a ransom was paid, what data categories were compromised, or how attackers gained access. As of the date of this article, the incident remains under investigation.

Going deeper

The Gentlemen first began adding victims to its leak site in September 2025 and has since claimed 328 attacks, with 24 confirmed. The Caribbean Medical Center attack is the group's fourth confirmed attack on a healthcare provider. The group operates a standard double-extortion model, exfiltrating data before deploying encryption, then threatening to publish stolen files if a ransom is not paid. According to Comparitech's February 2026 ransomware roundup, healthcare attacks jumped 30 percent between January and February 2026, increasing from 37 to 48 confirmed incidents in a single month, with The Gentlemen gaining credibility as a group willing to follow through on leak threats. The hospital operates 45 beds, four of which are in intensive care, serving the Fajardo region of eastern Puerto Rico. The 92,000 figure represents a substantial portion of that community's population.

What was said

Hospital Caribbean Medical Center stated in its press release that "the situation was identified by the hospital's monitoring systems, which allowed for the timely implementation of containment and isolation measures, with the support of external cybersecurity experts. Currently, the hospital network is operating normally." The hospital confirmed it had notified relevant authorities and was maintaining active collaboration with specialists supporting the ongoing investigation. A March update confirmed the attack had been successfully contained.

In the know

The Gentlemen's emergence as a confirmed healthcare threat sits within a wider pattern of smaller ransomware groups targeting community hospitals. According to Comparitech, healthcare was one of the most targeted sectors in February 2026, with attacks rising 30 percent month-over-month. The group has a notably wide geographic focus compared to other active operators, with confirmed attacks spanning the US, Europe, Latin America, and Asia. The Caribbean Medical Center is its fourth confirmed healthcare victim, alongside three other confirmed provider attacks documented since the group emerged in September 2025.

The big picture

Community hospitals like Caribbean Medical Center face a structural disadvantage against ransomware groups that larger health systems partially offset through dedicated security staffing and redundant infrastructure. According to Paubox's Rural Healthcare Left Vulnerable report, nine out of ten rural and community healthcare leaders say secure email is a priority, yet 85 percent report their current infrastructure cannot support advanced security tools. Healthcare breaches take an average of 224 days to detect and another 84 days to contain, according to Paubox's Small Healthcare Practices report. A 45-bed hospital serving a regional community has no margin for a prolonged outage, which is precisely the advantage ransomware operators rely on when selecting targets.

FAQs

Who is The Gentlemen ransomware group?

The Gentlemen emerged in September 2025 and has claimed 328 attacks with 24 confirmed as of April 2026. The group uses double extortion, exfiltrating data before encrypting systems, and has targeted healthcare, government, and financial organizations across multiple countries and regions.

Why has the hospital not confirmed what data was compromised?

Forensic investigations in ransomware incidents require a full review of every file the attacker accessed during the intrusion period before organizations can confirm what data was taken. Until that review is complete, HHS breach portal figures often reflect an estimated upper bound rather than a confirmed final count.

What does the 92,000 figure represent relative to the Fajardo community?

Fajardo has a population of approximately 35,000, meaning the 92,000 figure extends well beyond the immediate municipality and likely covers patients drawn from across eastern Puerto Rico who received care at the hospital over an extended period.

Why are community hospitals targeted more often than larger systems?

Smaller facilities typically operate with leaner IT teams, less mature monitoring, and fewer redundant systems, meaning an attack causes faster operational disruption and creates greater pressure to pay quickly. Ransomware operators factor in that pressure when selecting targets.

What should a community hospital do immediately after detecting suspicious activity?

Isolating affected network segments, preserving system and access logs, engaging a retained incident response firm, and opening a parallel HIPAA breach assessment with legal counsel from the moment of detection all reduce the time between discovery and confirmed scope, which directly affects both regulatory exposure and patient notification timelines.