DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Watsonville Community Hospital still hasn’t notified all those affected by a November data breach; employees are reporting tax refund fraud

Posted on March 21, 2025 by Dissent

Felix Cortez reports:

Just months after Watsonville Community Hospital was hit by a cyber-attack, roughly 20 employees at the hospital now say they’re the victims of identity theft.

“We heard from a few of our employees that they reported there were fraudulent tax filings in their name, so someone else had tried to file a tax return in their name and they had received that notification from the IRS,” said hospital spokeswoman, Nancy Gere.

One employee who didn’t want to be identified told Action News 8 she had not yet filed a return but when she signed onto her IRS account it showed an $8,000 refund being processed she added the refund was flagged by IRS agents and not disbursed.

Coincidentally, DataBreaches had reached out to the hospital earlier this week to ask about any update because the incident still doesn’t appear on HHS’s public breach tool months after the incident was discovered.

But let’s back up a bit.

Watsonville Community Hospital first disclosed that they were dealing with a a cyberattack on November 29, 2024. In a substitute notice posted on December 31, 2024, they noted  that patients’ name, date of birth, Social Security number, passport number, and diagnosis information may have been present in files that had been accessed in a “recent data security event” that was still under investigation. They did not confirm or deny whether this was a ransomware attack.

Although individual notification of those affected had not yet taken place, threat actors known as Termite added the hospital to its dark web leak site on December 11. Watsonville may not have described the incident as a ransomware attack, but intel firms reporting on Termite at the time described it as a ransomware group using an older version of Babuk ransomware.

Termite’s leak site was last updated on January 8, 2025. The proof of claims included screenshots from what appears to be a very sensitive personnel-related file as well as screenshots of a patient-related file and a patient-related spreadsheet (below).

A spreadsheet called DNLD_Patient_Extract was posted as part of Termite’s proof of claims. The first and last names of patients as well as their date of birth and SSN have been redacted by DataBreaches.net. The visible portion of the spreadsheet also had completed fields for gender, blood type, and antibody (y/n).

So who has actually been notified by now? Did any of the employees receive individual notification letters? Did any patients?

If the hospital has not complied with state and HIPAA requirements to notify timely, why haven’t they been able to comply?

Watsonville did not respond to the inquiries emailed to it on March 18, and Termite does not list any way to contact them with questions. If they happen to see this post, perhaps they will get in touch as DataBreaches has some questions for them, too.

But will employees be able to demonstrate that this incident was the source of their identity data that was used for fraudulent tax filings? If it was only one or two employees, it might be difficult to demonstrate the link, but if 20 employees or more are all reporting tax refund fraud, then that makes it more likely that the incident was the common point of compromise, although it is still a question that will likely be raised in any litigation.

 

Category: Breach IncidentsHealth DataID TheftMalware

Post navigation

← Hacktivists claim cyber-sabotage of 116 Iranian ships
No need to hack when it’s leaking: OrthoMinds edition →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them
  • Iranian Man Pleaded Guilty to Role in Robbinhood Ransomware
  • Developments surrounding data breach at Dutch police
  • Estonia launches international search for Moroccan citizen wanted over data theft
  • Now it’s Tiffany: Another LVMH luxury brand hit by hackers
  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.