INTEGRIS Health is under fire for how they handled communication of a cyberattack in Nov. 2023, exposing sensitive patient data of 2.3 million individuals.
What happened
After initially disclosing a cyberattack in November, INTEGRIS Health updated its breach notice on February 6, 2024 incorporating language that some critics argue minimizes the seriousness of the incident and the organization's obligation to notify affected individuals. After some patients were contacted by threat actors who demanded money in exchange for not disclosing their personal information, INTEGRIS was forced to issue an update. Although the update was presented as a precautionary measure, the law mandates that disclosures like these be made under HIPAA and HITECH.
The update came after INTEGRIS reported to the HHS on January 26 that 2,385,646 patients were affected, a figure questioned due to additional data appearing on the dark web. The organization faced several lawsuits for failing to adequately protect patient data, including a notable case, Johnston v. Integris Health Inc., which accused Integris of negligence and sought damages. Other lawsuits, such as Zinck et al v. Integris Health Inc., echoed these allegations, criticizing the healthcare provider for not promptly and transparently communicating the breach.
The situation escalated when hackers contacted patients directly, demanding payment to prevent the sale of their data on the dark web, marking a disturbing trend of direct extortion attempts by cybercriminals. The discrepancy and the delayed notification have led to patient frustration and criticism of INTEGRIS's communication strategy.
See also: How to respond to a data breach
Why it matters
The INTEGRIS breach is significant for several reasons, as highlighted by the HIPAA breach report for January 2024. In December 2023, network server breaches, including the one affecting INTEGRIS Health, were the most detrimental, impacting 11,151,487 individuals. This type of breach was the most common attack vector, with 51 occurrences in that month alone, underscoring a critical vulnerability in healthcare institutions' cybersecurity frameworks.
The report's year-over-year comparison further accentuates the growing threat, showing a dramatic increase in network server breaches, both in terms of people affected and the frequency of such incidents. Specifically, breaches like those at HealthEC LLC and ESO Solutions, Inc., affecting millions, demonstrate the massive scale of potential harm. The INTEGRIS breach matters because it is part of a larger trend of escalating cyberattacks on healthcare providers, exposing the personal and sensitive information of millions of patients. This compromises patient privacy and increases the risk of identity theft and fraud.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
What are the signs of a data breach?
Signs of a data breach include unusual account activity, unauthorized financial transactions, unexpected password reset emails, and notices from companies about a security incident. Additionally, finding your information on the dark web is a clear indicator of a breach.
What should I do if my data has been breached?
If you suspect your data has been breached, change your passwords immediately, monitor your financial accounts for unusual activity, consider placing a fraud alert or credit freeze on your credit reports, and follow any advice provided by the breached entity.
How can I protect myself from data breaches?
Protect yourself by using strong, unique passwords for different accounts, enabling two-factor authentication, being cautious of phishing emails and suspicious links, regularly updating your software, and monitoring your financial and personal accounts for unusual activities.
Kirsten Peremore
