Cyber Attackers Use New Tactic

Integris Health was hit by a cyberattack in November that compromised patient data. Integris is Oklahoma’s largest non-profit health network and operates hospitals clinics and urgent care facilities across the state.

At this point all they are saying is that they discovered unauthorized activity on certain systems and promptly took steps to secure the environment.

Integris, it appears, has opted not to pay off the attackers to stop them from selling the data, instead making it their customers’ problem.

So, as we are beginning to see more of, the attackers are reaching out to the millions of victims (they said it was over two million, but the web site they are running shows almost five million names) saying that if you just pay us $50 we will delete your record.

$50 x 2 million victims is a hundred million dollars.

The hospital, for it’s part, is telling patients not to pay. Instead, they are telling patients that they are still trying to figure out how much data was stolen and once they have figured that out, maybe months from now, they will offer folks free credit monitoring. Likely credit monitoring they already have from another breach.

Just to be clear, credit monitoring is basically USELESS when it comes to healthcare fraud because hackers sell the information to allow others to commit health fraud – not credit card fraud. Health fraud doesn’t show up on your credit report until the users of the stolen data don’t pay their bill and the hospital sends YOU to collections.

Recipients of the email have until January 5th to reply. After that, the hackers say they are going to sell the data.

These emails directly to victims were also sent to the customers of the Fred Hutchinson Cancer Center after they were hacked earlier this month.

We really don’t have much case law that would inform us as to how this might affect a jury. I do think if patients pay the money that will definitely give them “standing” in a class action lawsuit. Article III of the US Constitution requires plaintiffs in a federal lawsuit to show that they have suffered concrete harm in order to bring a lawsuit. This would seem to qualify.

So now businesses have yet another risk to worry about – hackers going directly after your customers trying to extort them. And them suing you as a result.

It is better not to get breached. Need help – please contact us BEFORE anything happens.

Credit: Bleeping Computer, OKC Fox 25 and Security Week