The Fontana Herald News alerts us to an update by the San Bernardino County Sheriff’s Department concerning the ransomware attack they experienced in early April.
The county now states that they have been unable to determine definitively if personally identifiable information (PII) and protected health information (PHI) were accessed. From the county’s June 23 notice:
At this point, the investigation has been unable to rule out the possibility that a limited amount of protected personal information and/or protected health information may have been accessed in connection with this incident.
They note that information related to individuals may include individual’s names in combination with addresses, social security numbers, dates of birth, driver’s license or state ID, financial account number, medical information, and health insurance information.
After struggling for weeks to recover from the attack that encrypted systems, San Bernardino County paid a $1.1 million ransom to the hackers. Their cyberinsurance covered half of it. But if they were paying more than $1 million, how is it that as part of the negotiations, they didn’t get a file list of what the attackers accessed or exfiltrated? Did the attackers claim or provide any proof of accessing files with PII or PHI?