Pacific HealthWorks (PHW), a Southern California management services organization serving roughly 1,200 hospital-based physician groups, was listed this week on the Everest ransomware gang’s leak site. Everest also posted PHW’s sister company, La Perouse. The gang says it has billing data and personal records from more than 50 organizations and threatened to publish full datasets if contacted profiles are not followed.
What Happened And Who Is Affected
Everest posted victim pages for Pacific HealthWorks and La Perouse and supplied hundreds of sample files to prove access. The leak site shows internal company documents and apparent patient records. A combined total of about 5,000 viewers have accessed the posts so far.
Pacific HealthWorks is headquartered in El Segundo and provides MSO services across more than 70 operating entities, 1,200 medical clinics, physician groups and hospitals. The organization’s clients include emergency, critical and ICU care teams, anesthesia providers and physician scribes who handle EHRs, and the company says it serves more than 1.4 million patients annually.
Cybernews reported it was able to view the alleged samples on the leak site. The outlet and others say the dumps include data tied to dozens of PHW-connected entities, including Emergent Medical Associates, Benchmark Hospitalists & Intensivists and AnesthesiaWorks.
Leaked Data And Sample Contents
Everest published hundreds of sample files. The samples shown to reporters contain extensive personally identifiable information and clinical records. Reported data items include:
- Name, Social Security number and date of birth
- Addresses, email addresses, home and cell phone numbers
- Gender, race, marital status and financial class
- Medical and billing records, insurance and medical ID numbers
- Insurance claims with diagnosis codes
The gang’s victim post warns: “Billing data, as well as personal data of more than 50 organizations, will be published if the company does not contact us.” No countdown clock or explicit deadline appears on the posts.
Timeline Questions, Ransom Claims And Company Response
Everest listed dates under each victim page that appear inconsistent: the PHW post shows July 8 and La Perouse shows August 8, which may be a typo. The exact timing of the breaches remains unclear. Cybernews and other outlets say they reached out to Pacific HealthWorks for comment but had not received a response at the time of reporting.
Everest Ransomware Activity And Targeting Profile
Everest is a Russian-linked group first observed in 2021 and has become more visible in recent months. The gang has publicly named many victims, including Mailchimp, a gourmet franchise that later disappeared from the leak site, and several corporate and healthcare targets. Public trackers attribute hundreds of listings to the group since 2023.
Martin Vigo, lead security researcher at AppOmni, told reporters that Everest has shifted tactics toward exfiltration and extortion via public leaks:
“Victims are publicly named, and partial datasets are published to demonstrate the seriousness of the breach. This creates reputational and legal pressure, particularly for high-profile targets, and increases the likelihood of a payout.”
Everest has been linked to other high-profile leaks and claims of large-scale exfiltrations across sectors, and it continues to use its dark-site publications as a pressure mechanism.
