Pit River Health Data Breach Affects 1,800 Patients, Exposing PII and PHI

Pit River Health Service Inc., a nonprofit ambulatory health clinic serving the American Indian population and local residents in Shasta, Modoc and Lassen counties, California, has reported a cybersecurity incident that affected the personal data of approximately 1,800 individuals.

The incident was first detected when the information technology team at Pit River Health Service identified suspicious activity within their network. Actions were taken to secure systems and prevent further unauthorized access.

According to the organization, no information was altered or deleted, but some data may have been copied by the attackers. The Indian Health Service medical record system was not accessed during the breach.

As of Jan. 12, 2026, some systems have been fully restored, while others remain under enhanced security review. The investigation into the full scope of the breach is ongoing, and the company continues to work with cybersecurity professionals and federal partners.

The types of information potentially exposed include personally identifiable information (PII) and protected health information (PHI), though the company has not specified the exact data elements involved. Information that may have been exposed includes patient names, contact information, medical and dental records, and possibly other administrative data.

The breach was disclosed to the U.S. Department of Health and Human Services on Jan. 6, 2026. The company also posted a notice on its website, offering updates as more information is discovered.

The breach has impacted Pit River Health Service’s operations, leading to some delays in processes and the need for patients to verify information or complete paper forms during visits. However, appointments and services have continued throughout the incident.

Pit River Health Service's response

In response to the breach, Pit River Health Service has taken several steps to protect patient information and restore normal operations.

The organization’s IT team acted to identify and contain the suspicious activity, securing the network and preventing further unauthorized access. They have worked closely with cybersecurity experts and federal agencies, including the Office for Civil Rights at the Department of Health and Human Services, to investigate the incident and determine the extent of the breach.

The company has enhanced security monitoring across all systems and continues to review and strengthen its cybersecurity measures. Pit River Health Service has also notified federal authorities and is cooperating fully with ongoing investigations. The organization has also committed to providing updates to patients as more information becomes available.

Patients affected by the breach may be contacted directly if individual notification is required, as determined by federal authorities. In the meantime, patients are encouraged to remain vigilant for suspicious activity related to their personal or health information.

Given the nature of the breach, affected individuals should monitor their medical and financial accounts for unusual activity, be cautious of phishing attempts, and consider placing fraud alerts or credit freezes if they suspect their information has been misused.

As the investigation is ongoing, any updates will be posted to the company's website. Individuals with questions or concerns can contact Pit River Health Service at 530-335-3651 ext. 1050.