DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

16 months after they experienced a ransomware attack, Dameron Hospital notifies those affected

Posted on April 4, 2025 by Dissent

In 2017, Dameron Hospital in Texas reported a breach to the California Attorney General’s Office. No copy of its breach notification was uploaded to California’s breach site, and Dameron did not respond to this site’s email asking for details of the breach. The incident never appeared on HHS’s public breach tool, so we never found out what happened or how many people were affected.

On or about November 4,  2023, Dameron experienced another breach. This one was a ransomware incident that we learned about when RansomHouse listed it on its leak site in December 2023. RansomHouse claimed to have encrypted Dameron’s files and to have exfiltrated 480 GB of files.  RansomHouse subsequently leaked the data.

RansomHouse listed Dameron Hospital on its darkweb leak site. The data was subsequently leaked. Image: DataBreaches.net

Dameron recently settled a potential class action lawsuit for $650k. Those who are eligible class members have until April 22, 2025 to file a claim, as explained on the official settlement website. According to the complaint and court records, the settlement class was estimated to contain 262,475 people. As of publication today, this 2023 incident is still not on HHS’s public breach tool even though Dameron has recently sent out notification letters and notified the Texas Attorney General’s Office and the California Attorney General’s Office of the breach.

Dameron’s letter to those affected, which appears in redacted form online, states, in part:

Upon learning of this issue, we immediately commenced a prompt and thorough investigation. As part of our investigation, we have been working very closely with external cybersecurity professionals experienced in handling these types of incidents. After an extensive forensic investigation and comprehensive document review, on March 21, 2025, we determined your personal data may have been subject to unauthorized access or acquisition, which occurred between November 4, 2023, and November 5, 2023.

Their notification does not explain why it took them 16 months to notify those affected. Equally important, their notification says that personal data “may have been subject to unauthorized access or acquisition.”  But given that the data was leaked in 2023, didn’t the hospital have every reason to know that data was acquired, and not only acquired, but leaked? Why weren’t patients told when their data had been leaked online?

As noted above, a lawsuit over the 2023 breach has already resulted in settlement. But will HHS investigate whether the hospital had been compliant with the HIPAA Security Rule and the notification rule, or will Dameron’s incident become just another breach with no regulators taking enforcement action?

DataBreaches did not find any provision in the settlement document that committed Dameron to investing more in infosecurity or cybersecurity. DataBreaches emailed the plaintiff’s attorney yesterday to ask if there was any such provision, but no reply has been received. Perhaps if a federal or state regulator does investigate Dameron’s security and incident response, a corrective action plan may result, but given how few security rule enforcement actions HHS has pursued and given recent staffing cuts to HHS, DataBreaches isn’t holding its breath.

Related posts:

  • Operation Anti Security Breakdown and targets, the full time line
  • Mission Community Hospital attackers exploited vulnerabilites in Paragon and Cisco
  • Kept in the Dark — Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden
  • Audits of New York schools and the State Education Department reveal ongoing significant concerns
Category: Breach IncidentsCommentaries and AnalysesHealth DataHIPAAMalwareOf Note

Post navigation

← Hackers strike Australia’s largest pension funds in coordinated attacks
Could Trump Budget Cuts Lead to More Cyberattacks Against Schools? →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.