Integris Health has reported to U.S. authorities that the data breach it suffered last November exposed personal information belonging to almost 2.4 million people.
The organization is Oklahoma’s largest not-for-profit healthcare network, operating hospitals, clinics, and emergency care units across the state.
On December 26, 2023, the organization confirmed it suffered a cyberattack after patients started receiving extortion emails informing that their sensitive personal information. Unless Integris Health met the attacker’s demands, the stolen data would be sold to other cybercriminals on January 5, 2024.
The threat actor told BleepingComputer that their attack did not involve encryption and they only stole the data.
This did not cause any network interruption and allowed Integris Health to keep providing its services to patients.
The emails the patients received from the threat actor contained accurate information and linked to a website in the Tor network hosting the stolen details, but access was not free.
Visitors could pay $50 and trust the attacker’s word on removing the details, or pay $3 to view information belonging to any other impacted individual.
Integris published last week a notification confirming that the incident impacted patient data, which included the following details:
- Full name
- Date of birth
- Contact information
- Demographic information
- Social Security Number (SSN)
The organization clarified that the leaked data did not involve employment information, driver’s licenses, account credentials (usernames and passwords), or financial information.
Talking to BleepingComputer, the threat actor said that they are selling on a dark web marketplace data for 2.3 million Integris patients (based on the number of social security numbers in the database).
In a new entry today, the U.S. Department of HHS Office for Civil Rights (OCR) portal shows that the number of impacted Integris Health patients is 2,385,646.
Integris Health says all affected patients will receive individual notifications, and recipients should remain vigilant to spot and report identity theft and fraud attempts early.
The organization has published a FAQ in the form of a PDF where victims can find some additional information regarding the incident, how it impacts them, and what protective steps they can take.
It is worth noting that the deadline the threat actor set for Integris Health to pay a ransom has long passed and it is very likely that the stolen data has been sold or share with other cybercriminals, who could use it for various scams, phishing, or other types of attacks.