CA, San Diego American Indian Health Center: over 27,000 people are affected by data theft


27,367 people, including patients and healthcare / administrative staff, were affected by the theft of sensitive data after the ransomware-type cyber attack last May 5 at the San Diego American Indian Health Center (“SDAIHC”) in the state of California.

Recall that, among the people involved in the theft of their sensitive data, there are also patients or former patients residing outside the state of California.

From the data collected by SuspectFile, disturbing details emerge about the safety and “good management” of the data that people put in the hands of hospital entities. Unfortunately, this problem does not concern only the SDAIHC but dozens of other US hospital entities.

The loss of data due to cyber attacks on IT structures is a problem that has transversely affected, and for several years, all types of activities around the world, but the one related to hospitals is certainly what is most worrying.

Millions of data have so far been made public by groups of cybercriminals where the priority is profit, in any case, without any of them having an interest in people’s health and what can happen when a health system is forced to stop or to reduce its operations.

We want to recall what happened in 2020 in a hospital in Germany, when the DoppelPaymer criminal group mistakenly attacked the clinic of the University of Düsseldorf by encrypting about thirty servers. For fear of more extensive data encryption, the hospital at that point decided to close access to the emergency room.

The shutdown of some servers caused a significant slowdown in patient care. In a statement by a spokesperson for the hospital clinic at the time, the data relating to the treatments of patients were reported which went from 1000 cases to 550 daily, the number of operations carried out at the Düsseldorf university hospital also substantially decreased from 70 / 120 per day, for only 10/15.

The attack on the IT infrastructure of the university clinic caused delays in the treatment of a woman who, arriving at the emergency room in Düsseldorf, was diverted to a hospital in the city of Wuppertal about 20 miles away. Later the police investigation established that the DoppelPaymer ransomware group hit the wrong entity, the university hospital instead of the Heinrich Heine University connected to it and that among the causes of the woman’s death there was probably also the impossibility of an immediate admission to the hospital clinic in Düsseldorf.

But this was not the first case of death due to hospital “paralysis” during a ransomware-type cyber attack; in 2019 in the Springhill Medical Center hospital in Alabama there was what was classified as the first suspected death due to a hacker attack.

Fortunately, what happened at the San Diego American Indian Health Center is “only” a data theft and the partial blocking of the hospital’s computer systems, normal activity was fully restored a few weeks after the cyber attack.

A statement published on the website of the non-profit organization reads

…After a thorough investigation, on July 22, 2022, it was determined that certain personal information was potentially involved in the incident. SDAIHC then took steps to identify current contact information and to notify affected individuals and to provide complimentary identity protection and credit monitoring services…

we speak of “personal information potentially involved in the incident”, a strange way of describing what really happened. Below is the information that cybercriminals have stolen from the SDAIHC, the list below is for patients residing in the state of Maine

  • Social Security numbers,
  • driver’s license or state identification card numbers,
  • tribal identification card numbers,
  • medical information,
  • health insurance information and / or dates of birth

At the moment, the name of the ransomware group responsible for the attack on the IT systems of the Californian non-profit organization is unknown (it is one of the questions we asked the San Diego American Indian Health Center in an e-mail sent last August 24) , just as we do not have certain data to understand whether or not a ransom has been paid.

The cyber attack was reported to the Federal Bureau of Investigation and the U.S. Department of Health and Human Services.

We will update the article in case of new details on the case