Integris Health and Corewell Health Business Associate Experience a Cyberattack

by

Threat Actors Contact Integris Health Patients After Cyberattack

Integris Health, the biggest not-for-profit health system owned by Oklahoma, has reported the compromise of its internal systems in a cyberattack. The unauthorized third party acquired patient information during the attack. Integris Health manages 15 hospitals in the state and some specialty clinics, centers of excellence, and family care practices. On December 24, 2023, Integris Health published a notice on its website concerning a data privacy breach. As per Integris Health, it detected suspicious activity in its IT systems, and took quick action to avoid even more unauthorized access. The health system started an investigation to find out the nature and extent of the incident, which showed the unauthorized access began on November 28, 2023. The threat actor extracted sensitive information from Integris Health’s systems without encrypting files.

Integris Health has reviewed the exposed files and has reported that the compromised data included names, birth dates, contact data, Social Security numbers, and demographic data. Integris Health stated that no medical data, financial information, usernames/passwords, and driver’s licenses were stolen. On December 24, 2023, the cyberattacker began contacting Integris Health patients and said that they got their names, birth dates, SSNs, addresses, telephone numbers, insurance data, and employer data, and would sell the information on the dark web. To prevent the sale of their data, patients should make a ransom payment before January 5, 2024, otherwise, the whole database will be offered for sale to a data broker. The messages to patients contained a sample of the stolen information as evidence, which some patients have confirmed to be real.

The threat actor states it stole the protected health information (PHI) of over 2 million Integris Health patients because no ransom payment is given. Therefore, the threat actor demanded payment from patients is because Integris Health did not pay for the deletion of the information. The patients were given a Tor link to give the payment. The threat actor is asking individuals to pay $3 to view their stolen information or pay $50 to delete the data. As per Bleeping Computer, the Tor extortion website lists 4,674,000 records, though it is uncertain if every one of those is unique. Integris Health has not confirmed the number of individuals impacted.

There were several recent cyberattacks where the threat actors contacted individual patients directly after the breached entity declined to give ransom payment. The patients of one plastic surgery clinic were called directly by the attacker saying that sensitive pictures and other data were published on the public domain and payment must be made to delete the information. In another instance, the Hunters International threat group communicated with the Fred Hutchinson Cancer Center patients when the ransom was not paid and asked the patients to pay $50 to delete their information otherwise it would be made available for sale. The data theft happened during the Thanksgiving Day weekend.

Although paying the $50 ransom demand would bring about the deletion of the stolen data, there is no assurance. People who pay the ransom can be targeted for additional extortion attempts and/or their sensitive data may still be offered for sale. Integris Health mentioned in its website notification that patients should not respond to the communications or follow the attacker’s instructions.

Corewell Health Business Associate Experiences Million-Record Data Breach

The Office of the Michigan Attorney General reported that the PHI of over one million Corewell Health patients was exposed in a cyberattack on a vendor of Corewell Health. Corewell Health’s population health management platform is created by HealthEC and is utilized to identify high-risk patients in southeastern Michigan and determine obstacles to optimal care.

In the breach notification letters, HealthEC mentioned that it identified suspicious activity in its system. The forensic investigation confirmed that an unidentified, unauthorized person accessed some internal systems from July 14, 2023 to July 23, 2023. At that time, files that contained PHI were taken out of its network. HealthEC reviewed all compromised files and informed the impacted clients on October 26, 2023. HealthEC subsequently helped those clients by sending breach notifications. As per the breach notification given to the Maine Attorney General, HealthEC began sending notification letters to 112,005 people on December 22, 2023. Some of HealthEC’s covered entity clients have decided to send notification letters themselves.

As per HealthEC, these types of data were exposed: names, addresses, birth dates, diagnoses and diagnosis codes, mental/physical condition, prescription data, names of providers, medical record numbers, subscriber numbers, beneficiary numbers, Medicaid/Medicare ID numbers, patient account numbers, patient ID numbers, treatment cost details, and Social Security numbers. HealthEC has provided free credit monitoring and identity theft protection services to the impacted persons for one year.

Data breaches occurring at business associates of HIPAA-covered entities frequently impact a lot of their clients. One more HealthEC client that was impacted is Beaumont ACO located in Michigan. People may likely get two notification letters associated with this occurrence if they have formerly gotten medical services from Beaumont ACO and Corewell Health.

This is the second big data breach that affected Corewell Health patients in 2023. Last November, Welltok Inc., a provider of patient communication services, began informing about one million Corewell Health patients about the theft of some of their PHI when a zero-day vulnerability had been exploited in the MOVEit Transfer file transfer solution of Progress Software. The two incidents are not related and were done by different attackers. The Clop hacking group stole the data of Corewell Health patients, such as names, birth dates, email addresses, telephone numbers, diagnoses, medical insurance details, and Social Security numbers. The same breach likewise impacted Priority Health, an insurance plan of Corewell Health.

Health data is a very personal data. Michigan Attorney General Dana Nessel states that Michigan locals have encountered a spike in healthcare-associated data breaches and need protection. The Michigan legislature and other states need to require organizations who encounter a data breach to promptly report to the Department of Attorney General.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone