Integris Health Confirms 2.4 Million Record Data Breach

Integris Health, a not-for-profit health system that operates 16 hospitals and has healthcare providers in 49 towns and cities in Oklahoma, has recently reported a data breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that has affected 2,385,646 patients. Integris Health identified suspicious activity within its network and took its systems offline while a forensic investigation was conducted. The investigation confirmed that unauthorized individuals gained access to its network and accessed or acquired files containing patient data on November 28, 2023.

On December 24, 2023, Integris Health became aware that some of its patients had been contacted by a cybercriminal group that claimed responsibility for the attack. The threat group claimed to have stolen the personal and health information of more than 4.67 million patients, including names, Social Security numbers, dates of birth, and information about the services they received at Integris Health. The communications sent to patients gave them two options. They could pay $3 to view the data that had been stolen or they could pay $50 to have their data deleted. Patients were threatened with the publication of their data if they did not pay the $50 by January 5, 2024.

Fewer healthcare organizations are paying ransoms to data thieves and ransomware gangs, so they have adopted more aggressive tactics such as attempting to extort patients directly when ransoms are not paid. There have been several attacks over the past year where patients have been contacted and directly threatened with data exposure or other negative consequences if payment is not made to have their data deleted. Paying a ransom or making a payment to a threat group comes with no guarantee that the stolen data will be deleted. There have been many cases where victims are subject to further extortion demands or cyberattacks after paying a ransom. Integris Health advised its patients not to interact with the hackers.

As the Integris Health investigation progressed it was confirmed that patient data had been stolen. Integris Health has now confirmed that the following information was exposed or obtained in the attack: name, date of birth, contact information, demographic information, and/or Social Security number. Integris Health said employment information, driver’s licenses, financial/payment information, or usernames/passwords were not involved. Integris Health has now notified the affected individuals and has shared information on the steps that can be taken to protect against fraud and abuse, but credit monitoring and identity theft protection services do not appear to have been offered.

A breach of this magnitude was certain to result in lawsuits and many have already been filed against Integris Health. The lawsuits all make similar claims – that Integris Health was negligent by failing to implement appropriate security measures to protect against unauthorized access to patient data. The lawsuits seek damages, restitution, and injunctive and declaratory relief.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/