Integris Health has finished the analysis of the files that were viewed/stolen as a result of a cyberattack in November 2023. It has submitted the breach report to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) indicating that 2,385,646 individuals were affected. The breach notifications state that the stolen data differs from one person to another and contains names along with at least one of these data: birth date, contact data, Social Security number and/or demographic data. Integris Health confirmed that the following data were not accessed or stolen: employment data, driver’s licenses, usernames/passwords, and financial/payment details. Integris Health mentioned it has checked and improved current guidelines and procedures to lessen the possibility of the same future occurrence.
The legal cases filed against Integris Health are increasing. The Johnston v. Integris Health Inc. lawsuit was submitted in the U.S. District Court for the Western District of Oklahoma with Teresa Johnson as named lead plaintiff. The lawsuit claims negligence for not applying reasonable and proper safety measures and wants compensatory damages, nominal damages, punitive damages, restitution, declaratory and injunctive relief, and attorney fees and expenses. The class action lawsuits have the same claims and are in line with similar facts, therefore they will probably be combined into one lawsuit.
Multiple Class Action Lawsuits Against Integris Health
A number of class action lawsuits were filed against Integris Health because of a recent cyberattack and data breach. Although Integris Health did not confirm yet the number of individuals that were impacted, the threat actor responsible for the attack states it possesses the information of about 2 million individuals and sent an email to those patients on December 24, 2023, asking for ransom payment after Integris Health declined to pay.
William Federman of Federman & Sherman law firm filed the Zinck et al v. Integris Health Inc. lawsuit in the U.S. District Court for the Western District of Oklahoma representing plaintiff Aaron Zinck and those with similar situation. Allegedly, Integris Health did not apply reasonable and proper security measures to safeguard patient information, despite knowing that hospitals are highly likely to encounter ransomware or other cyberattacks.
Federman called out Integris Health for lacking transparency regarding the cyberattack and data breach, saying Integris Health failed to announce the attack until after the hackers contacted the patients directly. Integris Health mentioned in its notice to patients that the threat actor acquired access to its network on November 28, 2023. Federman claims Integris Health hid vital details that could have enabled the plaintiff and class members to do something to protect their identities and protect against fraud. Although it is common for healthcare companies to provide free credit monitoring and identity theft protection services in case of sensitive data theft, it seems that those services were not provided.
The lawsuit wants a jury trial, attorney’s fees, and an award of damages. Some other lawsuits were likewise filed in the last couple of days that have the same claims, such as Gregory Leeb v. Integris Health, Joseph E Bointy v. Integris Health, and Civi et al v. Integris Health Inc.
Threat Actors Contact Integris Health Patients Directly After Cyberattack
Integris Health, the biggest not-for-profit health system in Oklahoma, has reported the compromise of its internal systems in a cyberattack. An unauthorized third party acquired patient information. Integris Health manages 15 hospitals in Oklahoma and several family care practices, centers of excellence, and specialty clinics. Integris Health posted a notice on its website on December 24, 2023, regarding a data privacy occurrence. Based on Integris Health, the healthcare provider discovered suspicious activity inside its IT systems and took immediate action to stop further unauthorized access. The investigation to uncover the nature and extent of the breach revealed that unauthorized access began on November 28, 2023. The threat actor extracted sensitive information from Integris Health’s systems without encrypting files.
Integris Health has performed an analysis of the impacted files and has affirmed that the breached data includes names, birth dates, contact data, demographic details, and Social Security numbers. Integris Health confirmed that no health data, financial data, usernames/passwords and driver’s licenses were stolen. Some patients told Integris Health on December 24, 2023 that they were contacted by the threat actor. The threat actor explained in the message to patients that they had acquired names, birth dates, SSNs, addresses, telephone numbers, insurance data, and employer data, and that they were going to sell the information on the dark web to identity thieves. They told the patients that they could stop the sale of their information by paying before January 5, 2024, or else, the whole database is going to be sold to a data agent. The message to patients also included a sample of the stolen information as evidence, which many patients have verified as true.
The threat actor claims to have gotten the PHI of over 2 million patients of Integris Health, and that it is demanding ransom payment from patients since Integris Health doesn’t want to pay to delete the PHI. The patients were given a Tor link to send their payments and the threat actor is asking $3 per individual to see their stolen information or $50 to delete the data. Based on Bleeping Computer, the Tor extortion website shows 4,674,000 records, though it is uncertain whether all of those data are unique. Integris Health has no information yet about the number of individuals impacted.
There were some cyberattacks where threat actors called patients directly after the attacked company declined to give a ransom payment. At the beginning of this year, a plastic surgery clinic’s patients were called directly and were informed that sensitive photos and other data were listed in the public domain. To take down those information, payment must be made. Lately, the Hunters International threat group called Fred Hutchinson Cancer Center patients after the cancer center did not pay the ransom demand. The threat group instructed the patients to pay $50 to have their data deleted or else it might be sold. The data theft during the cyberattack happened on the weekend of Thanksgiving Day.
Although paying the $50 could delete the stolen data, there is no assurance. Those who pay up may still encounter additional extortion attempts and/or the selling of their sensitive data. It is encouraged that any person getting such communications must not respond or call the sender, or adhere to any of the directions, such as getting any links.