Full Report
On March 24, 2026, SCUHS became aware of unauthorized activity on our computer network. We promptly launched a response with assistance from outside cybersecurity specialists to secure the network and determine the nature and scope of the activity. The investigation determined that certain files stored within our network were viewed and copied by an unauthorized actor between March 23 - March 24, 2026. We undertook a comprehensive review of the impacted files to determine what information was involved and to whom that information relates. Although we have no evidence of any identity theft or fraud in connection with this incident at this time, we are notifying that some information was present within the impacted files.
Analysis Summary
# Incident Report: Unauthorized Access and Data Exfiltration at SCUHS
## Executive Summary
On March 24, 2026, Southern California University of Health Sciences (SCUHS) identified unauthorized activity within its computer network. An investigation revealed that an external actor gained access to the system between March 23 and March 24, 2026, viewing and copying files containing sensitive information. The university has since secured the network and is providing identity monitoring services to 2,206 affected individuals.
## Incident Details
- **Discovery Date:** April 24, 2026
- **Incident Date:** March 23, 2026 – March 24, 2026
- **Affected Organization:** Southern California University of Health Sciences (SCUHS)
- **Sector:** Education / Healthcare Education
- **Geography:** Whittier, California, USA
## Timeline of Events
### Initial Access
- **Date/Time:** March 23, 2026
- **Vector:** External system breach (Hacking)
- **Details:** An unauthorized actor gained entry to the SCUHS network environment; specific entry point details (e.g., VPN, Phishing) were not disclosed in the public notice.
### Lateral Movement
- **Details:** Between March 23 and March 24, the actor navigated the internal network to locate and access stored file directories.
### Data Exfiltration/Impact
- **Details:** The investigation confirmed that certain files were both viewed and copied (exfiltrated) by the unauthorized actor during the 24-hour window of compromise.
### Detection & Response
- **Discovery (03/24/2026):** Initial awareness of unauthorized activity.
- **Full Review (04/24/2026):** Determination through forensic investigation that data was copied and identification of the specific impacted population.
- **Notification (05/18/2026):** Formal written notices sent to 2,206 individuals.
## Attack Methodology
*Note: Specific technical TTPs were not detailed in the AG filing.*
- **Initial Access:** External hacking/system breach.
- **Collection:** Gathering files stored within the network.
- **Exfiltration:** Files were confirmed "copied" by the unauthorized actor.
- **Impact:** Unauthorized access and disclosure of Personal Identifiable Information (PII).
## Impact Assessment
- **Financial:** Costs associated with forensic specialists, legal counsel, and 12 months of credit monitoring for 2,206 victims.
- **Data Breach:** Compromise of names and other personal identifiers.
- **Operational:** Investigation required the assistance of outside cybersecurity specialists to secure the network.
- **Reputational:** Public disclosure via the Maine Attorney General and notification to the university community.
## Indicators of Compromise
- **Network indicators:** None disclosed.
- **File indicators:** Access and exfiltration logs from internal file servers during the March 23-24 window.
- **Behavioral indicators:** Unusual file access patterns and unauthorized copying of data volumes.
## Response Actions
- **Containment:** Promptly launched a response to secure the network upon discovery.
- **Eradication:** Engaged outside cybersecurity specialists to remove unauthorized access and determine the scope of activity.
- **Recovery:** Conducted a comprehensive manual review of impacted files to identify affected parties.
- **Protection:** Offered 12 months of identity monitoring services via Kroll.
## Lessons Learned
- **Visibility:** The gap between the incident (March) and the full determination of what data was taken (April) highlights the complexity of data review following exfiltration.
- **Active Scanning:** Prompt awareness on March 24 prevented a long-term persistent threat, limiting the attacker's window to approximately 24 hours.
## Recommendations
- **Access Control:** Implement Multi-Factor Authentication (MFA) on all external-facing systems to prevent "external system breaches."
- **Data Encryption:** Ensure sensitive files are encrypted at rest to mitigate the impact if files are copied.
- **Audit Logging:** Enhance logging and alerting for large-scale file copying or "viewing" events.
- **Least Privilege:** Review file share permissions to ensure users (and compromised accounts) only have access to data necessary for their roles.