American Hospital Dubai 450M Patient Records Claimed by Gunra Ransomware

• .What: Gunra ransomware claimed 450M patient records from American Hospital Dubai.
• .Who: Patients and 2,700+ employees of American Hospital Dubai.
• .Data Exposed: Emirates IDs, credit cards, medical records, and fertility data.
• .Outcome: Hospital disguised breach as "system update"; no notification issued.

The intrusion was first detected internally at approximately 02:00 AM on June 1, 2025. Gunra operators had already penetrated AHD's core infrastructure - VMware vSphere virtualization hosts, EMC Unity storage arrays, and the Cerner Millennium electronic health record platform - and initiated data exfiltration.

Over the next three days, the hospital operated under crisis conditions while attempting to contain the breach and assess the scope of data loss.

Between June 1 and June 4, AHD leadership chose concealment over disclosure. " No formal breach notification was issued to affected individuals, the UAE Data Office, or the Dubai Health Authority within the 72-hour window mandated by the UAE PDPL.

On June 4, Gunra publicly listed AHD on its dark web leak site, claiming 450 million patient records totaling 4TB of uncompressed data.

The group set a payment deadline of June 8. When the deadline passed without payment, Gunra began publishing data samples and escalated its claim to 40TB. The samples included Emirates IDs, credit card numbers, clinical records, and fertility treatment histories - data types that, if verified at scale, would represent one of the largest healthcare data exposures in the Middle East.

• .Emirates ID numbers linked to patient identities and residency records
• .Credit card numbers and billing histories from hospital payment systems
• .Complete clinical and diagnostic records including lab results and imaging reports
• .Fertility treatment appointment schedules and reproductive health records
• .Insurance policy details and claims histories for multiple UAE insurers
• .Payroll spreadsheets and HR files spanning 2,700+ employee folders
• .Internal email communications including executive-level correspondence

The Gunra ransomware group emerged in April 2025 as a derivative operation built on leaked Conti source code, employing ChaCha20 symmetric encryption with RSA key wrapping.

The scope of the compromise extended across AHD's core technology stack including VMware vSphere virtualization infrastructure, EMC Unity storage arrays, and the Cerner Millennium EHR platform.

The attack was first detected internally at approximately 02:00 AM on June 1, 2025. Between June 1 and June 4, the hospital operated under crisis conditions. " When the June 8 deadline passed without payment, Gunra began publishing data samples.

The breach engages multiple provisions of the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). Healthcare data occupies a specifically elevated category under UAE law.

Article 7 designates health data as a "special category" requiring heightened protections. Article 26 requires data controllers processing special categories to maintain higher standards of technical and organizational security.

Article 28 mandates breach notification within 72 hours. AHD's failure to issue formal notification and active characterization as a "system update" may constitute separate violations. Under the UAE PDPL, healthcare facilities face penalties up to AED 10 million.

A ransomware group built on leaked Conti source code walked through American Hospital Dubai's infrastructure - VMware vSphere, EMC Unity storage, and the Cerner Millennium EHR platform - and claimed to have exfiltrated 450 million patient records.

The hospital's response was to tell patients it was a system update. The technical failures that enabled this breach are well understood, and the controls that would have prevented it are neither novel nor expensive.

Every recommendation below maps to a specific point in the kill chain where the attack could have been stopped or its impact dramatically reduced.

The Gunra ransomware variant uses ChaCha20 symmetric encryption with RSA key wrapping - a payload that must execute on target systems to encrypt data.

Endpoint Detection and Response (EDR) platforms from CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint detect and block ransomware payload execution in real time through behavioral analysis, not signature matching.

The Conti codebase that Gunra derives from is extensively fingerprinted by every major EDR vendor.

Deploying EDR with anti-tampering protections across all servers and workstations - including VMware hosts and storage management consoles - is the difference between a contained alert and a hospital-wide encryption event.

EDR must cover the full infrastructure stack, not just user endpoints.

The scope of exfiltration - 4TB or more across the EHR platform, storage arrays, and email systems - indicates the absence of network segmentation and data loss prevention controls.

Healthcare environments must isolate clinical systems from administrative networks, and both from internet-facing infrastructure. A properly segmented network forces lateral movement through chokepoints where detection is possible.

Data Loss Prevention (DLP) sensors at network egress points detect and block bulk data transfers that match healthcare record patterns - patient identifiers, Emirates IDs, credit card numbers.

The exfiltration of terabytes of structured patient data should have triggered automated blocking at the network boundary. Without segmentation or DLP, the attacker moved freely from initial access to full exfiltration without triggering a single control.

The Cerner Millennium EHR platform held the most sensitive data in the hospital - clinical records, fertility treatment histories, and diagnostic results.

Access to this system should be governed by role-based access controls enforced through Privileged Access Management (PAM), with all administrative sessions authenticated via phishing-resistant MFA such as FIDO2 hardware security keys.

Database-level encryption using Oracle Transparent Data Encryption (TDE) ensures that exfiltrated database files are unreadable without the encryption keys, which must be stored in a Hardware Security Module (HSM) physically separated from the database infrastructure.

Even if Gunra exfiltrated the raw database files, TDE with HSM-managed keys would have rendered the patient data cryptographically useless.

The most damaging failure at American Hospital Dubai was not technical. It was the decision to conceal the breach.

The COO's instruction to "please ignore and don't share it" and the characterization of a ransomware attack as a "system update" delayed patient notification, obstructed regulatory response, and may constitute independent violations of the UAE PDPL's notification requirements.

Incident response planning must include pre-drafted notification templates, legal counsel authorization protocols, and a communication chain that activates within hours of confirmed data exposure.

The 72-hour notification window under the UAE PDPL exists because early notification enables affected individuals to freeze credit lines, monitor for identity fraud, and change compromised credentials.

Every hour of concealment is an hour that patients' Emirates IDs and credit card numbers circulate without their knowledge.

DataBreaches.Net, Cybernews, SC Media, Semafor, UAE Federal Decree-Law No. 45 of 2021, Dubai Health Authority Regulations