In November, Integris Health suffered a data breach impacting 2.4 million individuals, leading to a cascade of cyber extortion attempts, including one targeting a child and his mother, Teresa Johnston from Oklahoma. Cybercriminals exploited stolen data, demanding a $50 ransom from Johnston by Jan. 5, 2024, threatening to sell the information on the dark web otherwise.
Johnston’s lawsuit, among several others, alleges Integris’ lax data security facilitated the breach, exposing sensitive information like Social Security numbers. Extortion emails, sent to victims including Johnston, outlined the compromised data and demanded payment to prevent its sale to data brokers.
Integris Health, Oklahoma’s largest not-for-profit healthcare system, disclosed the breach affecting 2.38 million people to regulators on Jan. 26. Many lawsuits seek damages and improved data security measures from Integris.
Integris confirmed patients were directly contacted by hackers, prompting warnings against responding to or following instructions from such communications. The breach, discovered on Nov. 28, triggered an ongoing investigation into the scope and nature of the unauthorized access.
Experts note a troubling trend of cybercriminals targeting breached healthcare organizations’ patients for extortion. Mike Hamilton, founder of Critical Insight, highlights the growing tactic of ‘triple extortion,’ combining ransomware, stolen records, and direct victim contact to induce fear and potential lawsuits.
Hamilton suggests healthcare entities prepare for such incidents by implementing robust policies and communication plans for impacted patients. Additionally, he proposes reviewing statutory frameworks to mitigate the incentive for class action lawsuits and calls for devaluing stored records to minimize future breaches’ impact.
