Health Care Data of Almost 1 Million ConnectOnCall User Exposed – Source: securityboulevard.com

A telehealth platform company used by health care firms to improve such operations as after-hours services is notifying more than 914,000 that their personal information may have been exposed in a month-long cyberattack earlier this year.

In a statement this month, ConnectOnCall officials wrote that hackers had broken into systems between February 16 and May 12 and accessed information, including some that had been passed between providers and patients.

“The personal information involved in this incident included information shared in communications between patients and their healthcare providers such as names and phone numbers, and may have also included medical record numbers, dates of birth, and information related to health conditions, treatments, or prescriptions,” ConnectOnCall wrote in the notice. “In a small number of cases, Social Security Numbers may have also been impacted.”

Health Care Systems Under Attack

The attack on ConnectOnCall – a subsidiary of Phreesia, a health care-focused software-as-a-service (SaaS) company that bought ConnectOnCall in October 2023 – is another incident that highlights the increasing focus by bad actors on the health care industry, which not only holds a lot of sensitive information of patients and employees but also uses numerous connected devices and has a reputation for having poor cybersecurity practices.

The attack earlier this year on UnitedHealth Group’s Change Healthcare data-processing subsidiary compromised the sensitive information of more than 100 million people and caused widespread disruption throughout the industry, from postponed operations and delayed payments to unfilled prescriptions. It also generated responses from federal lawmakers and regulatory agencies.

Financial institutions have long been a popular target of threat actors, given the sensitive and financial information they hold on large swaths of the population, from customer account details, credit card information, payment transaction data, according to Bob Palmer, director of product marketing for cybersecurity firm ColorTokens. Those firms responded by tightening their cybersecurity capabilities.

“As a result, recent statistics show that cybercriminals have turned their attention to a new opportunity: hospitals and clinical healthcare organizations,” Palmer wrote in a blog post. “These systems have become a prime target for ransomware attacks, as they often face life-threatening disruptions that can jeopardize patient care. Healthcare organizations have often found themselves compelled to comply with ransom demands to restore critical services.”

He added that “for threat actors, healthcare organizations are targeted not just for financial gain but also due to their urgency, critical nature and psychological impact.” Palmer pointed to a survey this year by the American Hospital Association that found there were 386 attacks on hospital systems through October, with 69% of survey respondents saying patient care was affected and 28% reporting higher mortality rates.

Among the high-profile cyber incidents highlighted in the survey were the attacks on Ascension Healthcare and HCA Healthcare.

System Taken Offline

In the ConnectOnCall attack, Phreesia wrote in May that executives learned that a hacker had gained access to the subsidiary’s systems and took the service offline. The company also contacted law enforcement agencies and worked with a cybersecurity firm to investigate the incident. ConnectOnCall officials wrote that they are restoring their service with a “phased” approach “in a new, more secure environment.”

ConnectOnCall hasn’t heard of the data exposed being misused or patients being harmed but urged potential victims to report suspected identity theft or fraud to their health plan operators, insurers, or financial institutions. In addition, the company is making credit monitoring services through Kroll to the “limited number of individuals” whose Social Security numbers were exposed.