Pit River Health Service Data Breach 2026: 1,800 Tribal Health Patients Exposed in Northern California. EHR + Dentrix Offline. What To Do
Pit River Health Service, a tribal health nonprofit serving the Pit River Tribe and the American Indian population of Shasta, Modoc, and Lassen counties in northeastern California, suffered a December 2025 cyberattack that took its EHR and Dentrix dental systems offline. 1,800 patients exposed. IHS records carved out as unaffected. No credit monitoring publicly named. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 1, 2025
EHR and Dentrix dental systems go offline; initial public notice of system unavailability
Dec 1, 2025
Attacker gained access
Dec 17, 2025
Pit River publicly confirms data theft
Dec 17, 2025
Disclosed publicly
Jan 6, 2026
HHS OCR filing
Jan 12, 2026
Status update: some systems restored, others under enhanced review
Jan 22, 2026
Second signed status letter posted to entity site
Feb 10, 2026
Third signed cybersecurity letter posted
Dec 1, 2025
EHR and Dentrix dental systems go offline; initial public notice of system unavailability
Dec 1, 2025
Attacker gained access
Dec 17, 2025
Pit River publicly confirms data theft
Dec 17, 2025
Disclosed publicly
Jan 6, 2026
HHS OCR filing
Jan 12, 2026
Status update: some systems restored, others under enhanced review
Jan 22, 2026
Second signed status letter posted to entity site
Feb 10, 2026
Third signed cybersecurity letter posted
Data exposed
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Pit River Health Service Inc. is a nonprofit ambulatory clinic system founded in 1979, serving the American Indian population of Shasta, Modoc, and Lassen counties in northeastern California. The organization operates two clinic sites — Burney and Alturas — providing medical, dental (Dentrix system), and behavioral health services. The dental program alone serves approximately 1,200 tribal patients.
Around December 1, 2025, Pit River Health Service’s EHR and Dentrix dental systems went offline, with initial public notice that systems were unavailable. On December 17, 2025, Pit River publicly confirmed data theft. The HHS OCR filing was made on January 6, 2026 — confirming 1,800 affected individuals.
Pit River has posted three signed cybersecurity letters (January 12, January 22, and February 10, 2026) tracking the restoration progress. The letters are posted as JPG images, not text — body content is not machine-readable from the web.
No ransomware group has publicly claimed responsibility. No leak-site listing has been identified. The operational signature (EHR + Dentrix simultaneously taken offline, multi-week restoration) is consistent with ransomware, but Pit River has not used the word “ransomware” publicly.
What IHS records are carved out
Pit River explicitly stated that the Indian Health Service (IHS) medical record system (RPMS) was not accessed. This carves out the federal IHS records but leaves the entity’s local EHR and Dentrix data in scope.
What was potentially exposed
Per third-party reporting (Claim Depot):
- Patient names
- Contact information
- Medical and dental records
- Possibly administrative data
SSNs, dates of birth, addresses, and government IDs are referenced in aggregator coverage but not officially confirmed by the entity. Tribal enrollment IDs have not been publicly enumerated as in scope.
If you receive a Pit River Health Service notification letter, the letter will list the specific data elements involved in your case.
What Pit River is offering
No credit monitoring service has been publicly named. The entity has advised patients to monitor accounts and consider fraud alerts or credit freezes — self-serve guidance rather than a sponsored offering. No dedicated hotline number is visible in publicly indexed text (notice letters are posted as images).
Tribal sovereignty caveat
Pit River Health Service is a nonprofit 501(c) entity rather than a tribal government instrumentality per se. Sovereign immunity defense against civil suits is plausible but unconfirmed — this would be a focal point of any class action against the organization itself.
What to do
- Call Pit River Health Service at the Burney or Alturas clinic to ask whether you have been notified and what response is being offered.
- Read your specific notification letter if you receive one.
- Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
- If your tribal enrollment ID was potentially in scope, contact the Pit River Tribe directly about secondary protections.
- Stop the ongoing flow of your tribal health data. HealthConsent files HIPAA restriction requests covering tribal health, dental, and behavioral health pathways.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Pit River Health Service: Cybersecurity Incident Update
- Pit River Health Service: Update on Status
- HIPAA Journal: Pit River Health Coverage
- DysruptionHub: Pit River Health Cyber Incident
- ClaimDepot: Pit River Health Service 2026
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.