DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Kentfield Hospital victim of cyberattack by World Leaks, patient data involved

Posted on July 5, 2025 by Dissent

While some of us were considering whether Hunters International was in the process of re-branding as World Leaks or not, World Leaks was busy adding a hospital to its leak site.

Kentfield Hospital in California is a critical care hospital that specializes in treating patients with complex medical needs who require an extended period of time for recovery in a hospital setting.  It is one of Vibra Healthcare’s facilities.

 

All Data FILE SERVER mnt DISC1 KFH FILE SERVER ACCOUNTING Administration Admission Archives CaseManagement Departments Dialysis EmployeeHealth InfectionControl MarinDepartments P Payroll Pharmacy Plant Operations PoliciesAndProcedures Quality Respiratory SFO Unit Secretary Wound Care
World Leaks claims to have exfiltrated 146.4 GB of data, consisting of 140,683 files. This screenshot shows the folders in the leak. Image: DataBreaches.net

Patient Data Involved

Although it has not been publicly leaked yet, DataBreaches was able to preview the data tranche and found that although it did not contain any EMR databases, it did contain a lot of protected health information on named patients.

There were folders with patient names as part of the folder names, with files relating to their admission, treatment, and discharge. For any one patient, there might be more than a dozen files with detailed information.

Fig. 1. Partial listing of exposed patient files for a named patient. Image: DataBreaches.net.

Figure 1 is a redacted screenshot showing a partial listing of files in one patient’s folder. Kentfield seemed to use a folder and file-naming convention that includes the patient’s first and last name for the folder name and their last name for individual files. Individual filenames also incorporated something about the content or subject of the file as well as the month and day. None of the files in this particular folder were encrypted or password protected. They contained a wealth of personal and protected health information with name, date of birth, medical record number, financial record number, diagnoses, medications, care, test results, etc.

Admissions-related folders contained patient folders, mostly from 2020 and 2021, but also with the first months of 2022.

Other patient-related files from 2023 and 2024 were noted, including investigations of complaints involving patient care, and quality improvement reviews initiated by CMS as part of its peer review processes

The tranche contained more than 28,000 image files where patients’ names and portions of their anatomy had been photographed to document wound care or other treatment issues.

Hundreds of files related to patients’ health insurance were also involved. Most of them were verification of insurance files, but some involved billing information.

DataBreaches did not check all of the files in the tranche, but with one exception, all of the patient-related files that were checked were unencrypted. The only password-protected files that DataBreaches noted were in a folder that indicated the files had come from Kaiser.

Personnel Data Involved

No databases involving detailed personnel information or payroll information were spotted, but there were a some files involving disciplinary issues and termination reports involving named employees. One file of new employee hires contained names, professional roles, and date of birth. DataBreaches did not find any files with Social Security numbers or W-2 data.

Kentfield’s Response

There is nothing on Kentfield’s website to alert patients or employees to any incident involving personal information. Because World Leaks claims that they do not encrypt systems or files, hospital functions and patient care may not have been disrupted by this incident, but the hospital would appear to have a reportable breach that will require notification to HHS, California regulators, some personnel, and patients.

DataBreaches submitted a contact form inquiry to the hospital this morning, asking when they first discovered a breach and what they were doing in response to it. No reply was immediately received. This post will be updated if a reply is received.

World Leaks declined to discuss the attack in terms of when they gained access and whether Kentfield had responded to them at all.

 


Related:

  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Two more entities have folded after ransomware attacks
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
  • Michigan ‘ATM jackpotting’: Florida men allegedly forced machines to dispense $107K
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
Category: Commentaries and AnalysesHackHealth DataU.S.

Post navigation

← India’s Max Financial says hacker accessed customer data from its insurance unit
Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.