Oklahoma City Indian Clinic impacted by Suncrypt’s ransomware attack
The Oklahoma City Indian Clinic (OKCIC) serves 20,000 patients from more than 200 different Native American tribes. A note on their website and their Twitter account currently apologizes that due to technological issues, the pharmacy automatic refill line and mail order services will be down for an indeterminate amount of time.
The home page of their website now reads:
Oklahoma City Indian Clinic recently experienced a network disruption that is impacting our ability to access certain computer systems. We immediately began an internal review and are actively working with our IT staff and third-party specialists towards a resolution. We will keep our community updated as we learn more information. Please visit our website and social media accounts (Facebook, Twitter and Instagram) for updates.
The explanation for the “technological issues” appears to be a ransomware attack by Suncrypt, who have added the clinic to their dedicated leak site. Suncrypt claims that they have acquired 350GB+ of files including electronic health records databases and financial documents.
“We will be publishing full leak if we do not reach a negotiation soon,” Suncrypt threatens. As proof of claim, they provide two small archives of files, including a filetree.
The Suncrypt ransomware group was first observed in October, 2019, and there was a long gap in their public appearances this past year. They have recently re-emerged and started updating their dark web leak site. Their notice to Press now reads:
The Suncrypt group is a huge fan of a Win-Win style of negotiations and the minimal damage policy, but we are forced to release the data of the entities that preferred not to cooperate.
The management of this companies decided that we are not releasing the data for long period due to technical or some other reasons.
The 10% of the data for each company will be posted within the next 72 hours.
The exfiltrated information is sold only in one hands. So its a great chance to get your info back.
If the lot wasn’t bought out within a week it is posted for free. Stay tuned !
Use the messaging system to arrange a press release interview or to buy out the data you liked.
Suncrypt’s attack on OKCIC directly contradicts a statement they made to this site in September, 2020 that this site reported at the time. After initially attacking a medical entity, they had removed the entity from their leak site and told DataBreaches.net that they had carefully avoided ever locking up life support systems or interfering with any hospital operations.
“We were aiming for the data,” the spokesperson stated, adding,
We don’t play with people’s lives. And no further attacks will be carried against medical organizations even in this soft way.
So why have they attacked OKCIC when they are impacting people’s healthcare and lives?
From OKCIC’s website:
Central Oklahoma American Indian Health Council, Inc. dba Oklahoma City Indian Clinic (OKCIC) is a 501(c)(3) nonprofit corporation that strives to increase access to quality health care and wellness services and produce positive health care outcomes for urban American Indians living in central Oklahoma.
OKCIC is a contractor of the (federal) Indian Health Service.
Let me stress the above: OKCIC is a nonprofit corporation dedicated to providing healthcare to those who often struggle to obtain culturally sensitive and quality healthcare due to lack of insurance, lack of providers in certain areas, and overcrowded emergency rooms.
And these are the folks Suncrypt hit?
DataBreaches.net has sent inquiries to both OKCIC and Suncrypt about this incident and will update this post if replies are received.
DataBreaches.net hopes this is simply an error on Suncrypt’s part and they will immediately provide the clinic with decryption help to help them restore health services.
Update March 29: While neither OKCIC nor Suncrypt have responded directly to this site’s inquiries, OKCIC gave a statement to KFOR that includes the following: “While our investigation remains ongoing at this time, we currently do not have evidence of unauthorized access to patient information.”