Dominican Republic Vaccinations 2024 Data Breach

Dominican Republic National Vaccination Records Breach (2024): 819K Citizen Records Including Government ID Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

CiberInteligenciaSVMisconfigurationMedicalFull NameGovernment ID
Moderate SeverityWebsite / service breach

Dominican Republic National Vaccination Records Breach (2024): 819K Citizen Records Including Government ID Exposed

Government-managed dataset of national vaccination and citizen health records.

Verified by ObscureIQ Intelligence
57/100Breach Risk Index
25Data Value
25Market Recency
406dSince Breach

Breach Intelligence Summary

Entity: Dominican Republic Vaccinations · Actor: CiberInteligenciaSV · Sources: 2 references
Attack: Misconfiguration
Profile: Government Health Data Exposure · Public health vaccination records and citizen identity data · National vaccination records dataset · Dominican Republic
Timeline: Breach (2024-01-01) · Indexed (Mar 17, 2025) · Year (2024)
Exposure: 819K records · 2 fields: Full Name, Government ID
Status: Reported

Executive Summary

The Dominican Republic's Ministry of Public Health and Social Assistance suffered a cyberattack in April 2024 that compromised more than 8,000 files containing COVID-19 vaccination records. The threat actor, using the alias CiberInteligenciaSV, posted the stolen dataset on Breach Forums, a hacking forum known for hosting Latin American breach data. Dominican news outlet DominicanToday and security researchers at Resecurity confirmed and analysed the leak.\n\nThe published dataset covered approximately 820,000 individuals. Compromised fields included the citizen's full name and Dominican national identification number (cédula), along with vaccination-specific data including total doses received, the clinic where doses were administered, dates of vaccination, and the type of vaccine used. The dataset reportedly included records linked to vaccines from Pfizer and SINOVAC, the two principal vaccines used in the Dominican vaccination campaign. Researchers noted possible overlaps with a separate breach of Dominican tourism company Caribe Tours from 2022, although the precise origin of the SESPAS file was not definitively traced.\n\nFor affected individuals, the practical risk is concentrated in identity-fraud scenarios using the cédula as a stable government identifier. The combination of full name and cédula supports identity-verification bypass at Dominican banks, government services, and other regulated institutions. Vaccination records themselves carry less direct fraud value but contribute to medical-privacy harm and could support discrimination or targeted social engineering. Individuals whose data may have been included should remain alert to unsolicited contact referencing public-health or government services, monitor accounts at Dominican financial institutions, and request fraud alerts where available.

ObscureIQ assessment: High sensitivity. Exposure can enable identity theft, medical privacy harm, profiling based on health status, and government-themed phishing or fraud.

Breach Impact

The institutional impact on the Dominican Ministry of Public Health was meaningful but bounded by limited domestic regulatory enforcement infrastructure. There is no public record of substantial penalties against SESPAS or its IT contractors specifically tied to the breach. The reputational impact was concentrated within the Dominican public-health and digital-identity policy debate, with researchers and journalists pointing to the incident as evidence of weak data governance around health programs. Cross-border concern has been voiced because the dataset includes records on tourists who received vaccinations during stays in the country, alongside records on Dominican nationals.

About Dominican Republic Vaccinations

The Ministry of Public Health and Social Assistance of the Dominican Republic, known by its Spanish acronym SESPAS or MSP, is the Dominican government agency responsible for national public health policy, programs, and registry management. As part of its COVID-19 response, the Ministry maintained a national vaccination registry that recorded each citizen's vaccination status, doses received, dates, vaccine type, and the clinic where each dose was administered. The dataset combined immunisation records with each individual's national identification number (cédula), tying vaccination status to a stable government identifier used widely for identity verification, banking, employment, and access to government services across the Dominican Republic.

Why They Hold Your Data

Vaccination-record datasets collect highly sensitive citizen identity, public-health records, vaccination status, dates, and healthcare-linked information across immunization programs.

Recent Developments

SESPAS confirmed the cyberattack publicly in mid-April 2024 and engaged technical specialists to investigate. Dominican authorities acknowledged additional cyberattacks against government systems through 2024 and 2025, including an October 2024 breach of the country's migration system that was later linked in international reporting to a Spanish hacking operation called 'Udyat.' The Dominican Republic's data-protection framework continues to operate under Ley 172-13 of 2013, with broader legislative discussion about modernisation continuing through 2025. The COVID-19 vaccination dataset has continued to circulate on Breach Forums and other dark-web aggregators in the years since the original publication.

Data Points Exposed

2 verified field types
Full Name High
Government ID Critical

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Identity theft and synthetic identity construction using government-issued IDs
Threat vectors:
  • Name-based social engineering
  • Identity fraud with official bodies

Threat Actor: CiberInteligenciaSV

CiberInteligenciaSV
Misconfiguration

Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.

Recommended Actions

If you believe your information may be included:

Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
IdentityTheft.gov
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Dominican Republic Vaccinations breach?

The Dominican Republic's Ministry of Public Health and Social Assistance suffered a cyberattack in April 2024 that compromised more than 8,000 files containing COVID-19 vaccination records. The threat actor, using the alias CiberInteligenciaSV, posted the stolen dataset on Breach Forums, a hacking…

What data was exposed?

Verified fields include Full Name, Government ID.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation