Hackers Try to Extort $50 From Child, 2 Million More at Risk – Source: www.databreachtoday.com

Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management

Oklahoma Integris Health Faces Multiple Patient Privacy Lawsuits in 2023 Breach

Marianne Kolbasuk McGee (HealthInfoSec) •
February 14, 2024    

A hack at Integris Health in November affected an estimated 2.4 million people, but the fallout from the data breach didn’t end there. At least one child, M.J., and his Oklahoma mom Teresa Johnston say cybercriminals used the stolen data to try to extort money from them.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Johnston opened an email in December from cybercriminals demanding that she and her child pay a $50 ransom before Jan. 5, 2024, or M.J.’s data would be sold to data brokers on the dark web.

Johnston claims the extortion email, which displayed M.J.’s personally identifiable information including his Social Security number as proof, has caused her anxiety, loss of sleep and “a state of persistent worry.”

Her biggest fear, according to one of nearly a dozen proposed class action lawsuits filed against Integris Health in the wake of the breach, is that the PII of young M.J. and others could be used in identity scams and is “now in the hands of cybercriminals who will use their PII for nefarious purposes for the rest of their lives.”

Johnston filed the lawsuit in an Oklahoma federal court on Jan. 19.

Integris Health, Oklahoma’s largest not-for-profit healthcare system, including hospitals, specialty clinics and family care practices, is facing many other similar lawsuits related to the hack. The healthcare group reported a network server breach to federal regulators on Jan. 26 that affected 2.38 million people.

Many of the lawsuits filed so far – like the one filed by Johnston – seek financial damages and an injunctive order for Oklahoma City-based Integris to improve its data security practices, alleging that the plaintiffs were among an unspecified number of patients contacted by cybercriminal’s demanding ransom payments in exchange of removing from a dark web marketplace individuals’ information stolen in the hack.

Johnston alleges that as a result of Integris’ “insufficient” data security, cybercriminals easily infiltrated Integris’ inadequately protected computer systems and stole the personally identifiable information of M.J. and the other patients.

From around Dec. 24 through Dec. 27, plaintiffs and class members began receiving emails from cybercriminals, warning that they are among 2 million Integris patients whose information was compromised in November, the lawsuit alleges.

“Cybercriminals explicitly stated to plaintiffs and class members in the email, ‘if you are receiving this message, your data have [sic] been compromised.'” In this email, cybercriminals said highly sensitive information such as Social Security numbers, date of birth, address, phone, insurance information and employer information was among the compromised data.

“Cybercriminals also threatened plaintiffs and class members that their “’data will sell [sic] on the darknet and be used for fraud and identity theft,'” the lawsuit alleges. “What is perhaps most disturbing, however, is that in the email, cybercriminals provided M.J.’s address, telephone number, date of birth, and Social Security number as proof that it had indeed stolen M.J.’s PII from Integris,” Johnston’s lawsuit alleges.

Cybercriminals then extorted plaintiffs and the class by giving them until Jan. 5 to click on a dark web link – a Tor extortion site – contained in the email and pay $50 for their stolen information, the complaint said. “If plaintiffs and the class failed to do so, cybercriminals threatened it would sell the entire database to data brokers on Jan. 5.”

The lawsuit alleges that the cybercriminals claimed they contacted Integris after the hack, “but Integris refused to resolve this issue.”

“This disturbing email from the cybercriminals makes it clear that M.J. and the Class are at an imminent risk of fraud and identity theft. It was not until plaintiffs and the class were being extorted by cybercriminals that Integris made a public statement regarding the data breach,” Johnston’s lawsuit alleges.

Breach Details

Integris, in a notice updated on its website on Feb. 6, acknowledged that it was aware some patients were being contacted directly by the hackers.

“As the review was ongoing, on Dec. 24, Integris learned that some patients began receiving communications from a group claiming responsibility for the unauthorized access. We encourage anyone receiving such communications to NOT respond to or contact the sender, or follow any of the instructions, including accessing any links,” Integris said.

Integris’s notice said the entity had discovered potential unauthorized activity on certain systems, but doesn’t mention a date for that discovery.

“Upon becoming aware of the suspicious activity, Integris Health promptly took steps to secure the environment and commenced an investigation into the nature and scope of the activity. The investigation determined that certain files were accessed or acquired by an unauthorized party on Nov. 28.” Integris said it just recently completed “a thorough review” of the affected data to determine the type of information, and to whom it related.

Integris did not immediately respond to Information Security Media Group’s request for additional details about the incident.

Attorneys representing Johnston and her child M.J. also did not immediately respond to ISMG’s request for comment.

Troubling Trend

Hackers directly demanding ransoms from patients affected by health data breaches is a troubling evolution of these attacks, experts say.

In another recent incident, cybercriminals used the threat of swatting as a way to extort money from cancer patients of the Seattle-based Fred Hutchinson Cancer Center, which was hit in November with a cyberattack affecting about 1 million individuals (see: Cybercriminals Bully Cancer Patients with Swatting Threats).

“Cybercrime gangs directly contacting patients whose records have been purloined is increasingly common,” said Mike Hamilton, founder and CISO of security firm Critical Insight.

“Direct victim contact is becoming institutionalized as one variant of ‘triple extortion,’ along with ransomware and stolen records held in abeyance,” he said. “Along with a revenue stream from terrified patients, the tactic seems to be designed to create enough mental anguish in patients that a class action suit is guaranteed, providing that much more incentive to pay the extortion demand,” he said.

While Integris has not publicly identified the cybercriminal gang claiming credit for its attack, several groups, including Lockbit, Clop, ALPHV and others have adopted the direct-patient-extortion strategy, Hamilton said.

“Because this is becoming a trend, healthcare entities should assume that records theft will be accompanied by this tactic – and have policies and communication plans in place to address impacted patients with information on whether or not to pay the extortion demand, whether to engage with law enforcement, and how the entity will limit the impact of the disclosed information,” he suggested.

Also, because this extortion tactic amplifies the threat of further regulatory and civil action, the statutory underpinnings that allow for class action should be reviewed, he contends.

“Specifically, limiting the ability to sue a hospital every time records are disclosed would remove this perverse incentive and save our healthcare sector from further financial distress,” he said.

Also, he suggests that the U.S Department of Health and Human Services should plan on how to implement the section of the national cybersecurity strategy that calls for the devaluation of records. “For example, limiting which fields should not be stored with others, such that multiple databases would need to be recombined to fully identify these victims,” he suggested.