Sonoma Valley Hospital loses 3-letter domain name to hijackers

Sonoma Valley Hospital loses its three-letter domain name to 'malicious pirates.'|

Sonoma Valley Hospital's website was hacked earlier this month, forcing the change of its URL and email addresses, hospital officials announced last week.

On Tuesday, Aug. 6, at 6:30 p.m., the hospital's domain was 'maliciously acquired,' said Celia Kruse de la Rosa, the hospital's communications director.

Hospital CEO Kelly Mather added: 'The hijacking of our domain name was surprising and we are finding out, not unusual for highly valuable three letter domain names such as '''

When it became apparent that the hospital would not get the domain name returned, they 'began migrating all internet connectivity to the new and current domain: (web) and (email),' de la Rosa said.

Mather said they 'are taking every step to increase our visibility using the new domain as quickly as possible.'

The hospital's Emergency Management and Information Security teams 'have handled the incident exceptionally well,' said hopsital officials.

Stressed Mather: 'Again we emphasize that at no time was patient care or privacy compromised during this incident.'

The full transfer was complete on Aug. 13.

It is unclear who hijacked the website or how, but according to a local website design expert, the hospital's three-letter domain name was especially attractive to thieves.

'This domain is a perfect target for that (it) has all the elements hijackers want,' said Blaine Transue, co-founder of WildFireWeb, a Sonoma-based web design and development company. 'The domain itself has a lot of value at this point as it has seen a great deal of traffic since 1996, so simply hijacking it and filling pages full of ads can be profitable.'

Transue said that three-letter domains are also hard to come by. 'Any other organization that uses that acronym – in the world – would pay handsomely to get their hands on it, probably to the tune of thousands of dollars if not much more,' said Transue, 'so it will likely be resold at some point.'

The hospital registered the website on Sept. 23, 1996, and the expiration date was Sept. 22, 2021.

'The record was updated however on Aug. 7, and now the domain is in the hands of 'pirates,'' Transue said.

Transue said the significance of having a branded domain name stolen "cannot be overstated."

"Consider, for example, that every piece of printed marketing material, every piece of letterhead, every business card has to be reprinted," said Transue. "Branding and marketing campaigns, signage, all need to be updated at significant expense, and that just scratches the surface, that's the easy stuff."

Transue further noted the affect of a change in URL on outside web pages, clients' bookmarks, email addresses of employees, updating staff contact and the absence of the new URL from online search engines' search histories.

"The technical support and associated labor alone is daunting," he said.

The hospital's primary email addressed changed from to and any emails sent to are not getting through to staff there. De la Rosa is asking that people update their contact information to reflect the new email addresses and website domain name, which is now

Transue said URL addresses are often open to vulnerabilities. One common domain-hijacking scenario to be aware of, he said, is when scammers send a fake domain renewal notification and people respond, providing information to the scammers who can then take control of the domain. 'People fall for it all the time,' said Transue, 'and once it's gone, it's all but impossible to retrieve.'

Added Transue: "(Sonoma Valley Hospital) isn't the first business in Sonoma to fall prey to this, but it's probably the biggest."

Contact Anne at

UPDATED: Please read and follow our commenting policy:
  • This is a family newspaper, please use a kind and respectful tone.
  • No profanity, hate speech or personal attacks. No off-topic remarks.
  • No disinformation about current events.
  • We will remove any comments — or commenters — that do not follow this commenting policy.