Integris data breach involved 2.4 million people, 90% of them Oklahomans, government says

Dale Denwalt, The Oklahoman
·3 min read

As a potential class action lawsuit kicks off in federal court, Integris Health has told federal regulators that nearly 2.4 million individuals were affected by a data breach last year involving Social Security numbers and other personal information.

Hackers stole the personal data of 2,385,646 people, making it one of the largest reported breaches of health information in the past two years. The report was made to the Office for Civil Rights at the U.S. Department of Health and Human Services.

An Integris attorney told a federal judge last month that about 90% of the victims are Oklahoma residents.

The breach only came to light when the hackers began emailing victims, demanding $50 to keep their information out of the hands of data brokers who buy this kind of information on the dark web. The emails suggested hackers attempted to extort money from Integris before reaching out to affected patients directly.

"We have contacted Integris Health, but they refuse to resolve this issue," the unknown sender wrote in emails.

It's not clear whether the data has been sold on the black market yet, but victims were told to pay before Jan. 5.

What to know about the potential class action suits against Integris over the data breach

The lawsuit is one of 11 prospective class action lawsuits filed as a result of the data breach. In January, Chief U.S. District Judge Timothy D. DeGiusti combined the lawsuits into one. The court still has to decide whether to allow the case to proceed as a class action. Integris has not yet answered the allegations in court but plans to do so after procedural motions are settled, a spokeswoman told The Oklahoman.

The lead plaintiff in the lawsuit is Aaron Zinck, a former Integris patient who received an email in December from the supposed hackers asking for money to remove his personal information from the dark web. His lawsuit accuses Integris of negligence, breach of implied contract and enriching itself "by saving the costs they reasonably should have expended on data security measures."

Zinck's attorney, Bill Federman, criticized the way Integris handled the breach. In letters sent to potential victims after the breach became public, the hospital network said its data was breached on Nov. 28. However, it wasn't publicly acknowledged until hackers began contacting victims directly. At that point, Integris began notifying individual suspected victims that their data may have been compromised.

More: Identity theft takes a massive toll on victims lives, may even lead to suicidal ideation

Integris patients are still being notified about the leak. One letter shown to The Oklahoman was dated Feb. 6.

"It's incredibly unfortunate that this happened. It's just as unfortunate that Integris was not forthright or forthcoming in telling its patients and employees what happened," Federman said. "But we seek to find all that out and hold them accountable."

Integris has not revealed exactly when it learned of the data breach, but said it began investigating immediately. The hospital network partnered with a third-party cybersecurity specialist during the investigation and began sending notices to patients upon completion. As part of its data breach response, Integris is offering potential victims a period of free credit monitoring.

Theft of health records is a significant problem. According to data breach reports submitted to federal regulators, 161 million individual records have been stolen from over 850 health care providers in the past two years alone.

Federman said these cases all have a common element.

"They're not spending enough money to adequately protect people's data, or they're not hiring the right personnel to protect people's data. They have the money. They're simply not deploying it the way it needs to be," he said.

The stolen data also includes the personal information of newborns, he said.

It could take months for the U.S. District Court for the Western District of Oklahoma to decide whether the lawsuit should proceed as a class action.

This article originally appeared on Oklahoman: Integris data breach mostly impacted Oklahomans, company says