In December, INTEGRIS Health disclosed a cyberattack in November in which threat actors contacted patients directly to extort them when INTEGRIS wouldn’t pay their demands. DataBreaches subsequently reported additional details.
On February 6, INTEGRIS updated its breach notice. The updated website notice incorporates the kind of language that advocates for transparency and data protection may deplore r mock. As one example, INTEGRIS’s notice states (emphasis added by DataBreaches):
INTEGRIS Health is providing notice of the event so potentially affected individuals may take steps to better protect their information from misuse, should they feel it appropriate to do so.
They later add:
In an abundance of caution, INTEGRIS Health is also notifying potentially affected individuals and providing information on steps that may be taken to best protect personal information.
INTEGRIS is providing notice of the event because it is required by law. It is not voluntary in just “an abundance of caution.” It is required by HIPAA and HITECH as well as state laws, and any suggestion they chose to disclose “in an abundance of caution” is misleading at best.
And is INTEGRIS suggesting that most people wouldn’t feel it appropriate to take steps to protect their information better when their data is on the dark web? Shouldn’t they be encouraging or urging people to take steps to protect themselves in light of the data leak?
On January 26, INTEGRIS Health notified HHS that 2,385,646 patients were affected by this incident. That number is significantly less than what appeared on the dark web site that both this site and Bleeping Computer looked at, but the TA informed DataBreaches that records on that site were not just from INTEGRIS. Some also came from at least one other health system. According to the TA, they acquired about 2.3 million records from INTEGRIS patients with Social Security numbers and dates of birth. Other patient records did not have those data types.
But if almost 2.4 million patients discovered in December that their data was exposed and available for purchase on the dark web, it was because many learned of it from the threat actors first. INTEGRIS sent out an alert as soon as they discovered that the TA was contacting patients directly to urge patients not to respond to the TA, but some patients are angry that they learned about it first from the threat actor and not INTEGRIS. NonDoc reports:
One Edmond resident affected by the data breach — who agreed to speak with NonDoc on the condition of anonymity — said the hacker emailed him Dec. 24 with his name, Social Security number, phone number and address. INTEGRIS Health notified him of the attack Jan. 5, about 38 days after the breach occurred and 12 days after the hacker emailed patients. By that time, news outlets had already reported the hack publicly.
“They breached in November, the bad guys let me know in December, and I don’t hear anything from INTEGRIS until the start of the new year?” the man told NonDoc on the condition of anonymity. “It appears to me that INTEGRIS couldn’t organize a two-car funeral.”
The anger of patients and lawsuits filed against INTEGRIS should serve as a cautionary tale about the need to alert patients promptly when their data is already being leaked. Entities may prefer to complete their investigations first, but they appear to take a bigger reputation hit when others inform the patients before they do.
INTEGRIS Health’s updated notice does not inform patients that their data is available on the dark web. Should it?
Apart from claims that they are providing notice “in an abundance of caution,” other statements reported on NonDoc also include standard public relations language, such as claims that they take privacy and security seriously and that they cannot reveal more at this time because [insert your favorite language about ongoing investigation, working with FBI, etc. etc.].
There are legitimate reasons not to reveal everything about an incident immediately, but DataBreaches believes entities should tell patients immediately if their data is being leaked or sold on the dark web or clear net. They should be provided with immediate advice as to what they can do to protect their info and themselves. Patients should be finding out from the covered entity, not the media, and not the threat actors.
As reported by NonDoc, their spokesperson also told NonDoc:
“As we confirm affected individuals, we are reaching out to them to provide notification and support, including 24 months of access to free credit monitoring and identity protection services.
Does the spokesperson’s statements mean that INTEGRIS still hasn’t notified everyone by letter? If so, there may be a lot more angry patients out there.