Cyber Incident Victim: Oklahoma City Indian Clinic
Date:
Mar 2022
Location:
United States of America
Summary
A cyberattack disrupted pharmacy operations at Oklahoma City Indian Clinic, causing indefinite outages of automatic refill and mail-order prescription services, requiring patients to contact the pharmacy directly with detailed prescription information. The SunCrypt ransomware group claimed responsibility, alleging theft of over 350GB of data including financial documents and electronic health records, though the clinic did not confirm these claims or any unauthorized access to patient information. The nonprofit organization initiated an internal review with third-party forensic specialists to investigate the incident while maintaining critical services for its patient population across multiple tribes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around March 10, 2022, Oklahoma City Indian Clinic (OKCIC) began experiencing technical difficulties that were later identified as a cyberattack. The nonprofit clinic, serving over 20,000 patients from 200 Native American tribes, publicly acknowledged the incident through website statements and social media posts. The attack disrupted critical pharmacy operations, forcing the indefinite shutdown of automatic prescription refill services and mail-order pharmaceutical distribution. Patients requiring medication refills were instructed to contact the pharmacy directly by phone and bring physical prescription vials to facilitate manual processing. Clinic staff requested patients provide specific prescription details during calls, including chart numbers, drug names, dosing instructions, prescribing providers, and medication strengths. OKCIC immediately initiated an internal review upon detecting system inaccessibility and engaged both internal IT personnel and external forensic specialists to investigate the breach. Throughout the disruption, the organization committed to providing community updates while working toward resolution, though no restoration timeline was established for affected services.
The SunCrypt ransomware group claimed responsibility for the attack through its leak site, alleging exfiltration of over 350GB of data including financial documents and electronic health records. Cybersecurity publication DataBreaches.net and local news outlet KFOR corroborated SunCrypt's involvement, though OKCIC did not formally confirm the attacker's identity or validate data compromise claims. In an official statement to KFOR, OKCIC emphasized investigators had found no evidence of unauthorized patient data access as of the reporting period. Forensic analysis revealed the attackers deployed ransomware capable of terminating system processes and removing forensic artifacts, consistent with 2022 SunCrypt variants documented by Minerva Labs researchers. Historically active since October 2019, SunCrypt primarily targeted technology and retail sectors through a limited affiliate program but had publicly claimed avoidance of healthcare facility operations prior to this incident. OKCIC maintained ongoing compliance with regulatory requirements throughout its investigation while neighboring healthcare institutions in Kentucky and Tennessee concurrently managed unrelated cybersecurity disruptions.