Keralty / Sanitas RansomHouse ransomware attack
The RansomHouse gang struck Colombian healthcare giant Keralty and its EPS Sanitas and Colsanitas subsidiaries, claiming 3 TB of stolen data and crippling appointment scheduling for a network serving more than 6 million patients.
- Victim
- Keralty (EPS Sanitas, Colsanitas)
- users
- 6.0M
On 27 November 2022, the RansomHouse extortion group struck Keralty, one of Latin America's largest private healthcare groups, paralysing the IT systems of its Colombian health insurers EPS Sanitas and Colsanitas and turning a digital intrusion into a public-health crisis.
What happened
Keralty is a multinational healthcare organisation operating 12 hospitals and roughly 371 medical centres across Latin America, Spain, the United States, and Asia, employing about 24,000 people — including 10,000 physicians — and serving over 6 million patients. On 27 November 2022, ransomware tore through its network, knocking out IT operations, corporate websites, and — critically — the medical-appointment scheduling system.
Keralty initially described the disruption as "technical issues" before confirming on 29 November that it had suffered a cyberattack. It activated contingency plans and worked around the clock to restore services while Colombian authorities opened a criminal investigation.
Impact on patients
The operational fallout was severe and visible. Local media reported patients waiting more than 12 hours for care at Sanitas facilities, with some reportedly fainting while waiting for attention that could not be scheduled. For a network underpinning a large share of Colombia's contributory health system, the loss of appointment booking and records access rippled across clinics nationwide for days.
Data theft and extortion
RansomHouse publicly claimed the attack and asserted it had exfiltrated 3 TB of data from Keralty's systems — a figure that was not independently verified at the time. True to the group's double-extortion playbook, the attackers escalated pressure over the following months: in March 2023, they published additional classified EPS Sanitas information online, demonstrating that the stolen trove included sensitive patient and corporate records.
Why it matters
The Keralty incident was a landmark in the 2022–2023 wave of ransomware against Colombian institutions, sitting alongside the EPM utility attack weeks later and the 2023 IFX Networks supply-chain breach. It underscored how ransomware against a healthcare provider is not merely a data-protection failure but a direct threat to patient safety, and it placed RansomHouse — also later linked to IFX Networks — among the most disruptive actors operating against Latin America. The breach intensified scrutiny of how Colombian health entities secure the personal medical data of millions of citizens.
Timeline
RansomHouse deploys ransomware across Keralty's network, disrupting IT systems, websites, and appointment scheduling.
Keralty reports technical issues affecting its services and those of subsidiaries EPS Sanitas and Colsanitas.
Keralty publicly confirms a cyberattack and activates contingency plans as authorities open a criminal investigation.
RansomHouse claims responsibility and asserts it has stolen 3 TB of data from Keralty's systems.
Months later, the attackers publish additional classified EPS Sanitas information online, escalating the extortion.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/
- infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/ransomware-target-colombias-health/
- infobae.comhttps://www.infobae.com/colombia/2023/03/14/ciberataque-a-sanitas-hackers-revelaron-mas-informacion-clasificada-de-la-eps/
- cyberintelmag.comhttps://cyberintelmag.com/attacks-data-breaches/attack-from-keralty-ransomware-affects-colombias-healthcare-system/