Integris Health patients in Oklahoma are receiving blackmail emails stating that their data was stolen in a cyberattack on the healthcare network, and if they did not pay an extortion demand, the data would be sold to other threat actors.
Integris Health is Oklahoma’s largest not-for-profit health network, operating hospitals, clinics, and urgent care throughout the state.
The healthcare network confirmed they suffered a cyberattack in November that led to the theft of patient data.
“INTEGRIS Health discovered potential unauthorized activity on certain systems,” reads a data privacy notice on Integris Health’s website.
“Upon becoming aware of the suspicious activity, INTEGRIS Health promptly took steps to secure the environment and commenced an investigation into the nature and scope of the activity.”
“The investigation determined that certain files may have been accessed by an unauthorized party on November 28, 2023.”
BleepingComputer has contacted Integris Health with questions about the attack but has not received a response.
Integris Health patients extorted
In extortion emails sent to patients on December 24th, the hackers claim they stole the personal data of over 2 million patients in the cyberattack on Integris Health.
This data allegedly includes Social Security Numbers, dates of birth, addresses, phone numbers, insurance information, and employer information.
BleepingComputer was told by patients of Integris Health that these emails contained accurate personal information, confirming that patient data was stolen in the attack.
“We have contacted Integris Health, but they refuse to resolve this issue,” reads the extortion email sent to Integris patients.
“We give you the opportunity to remove your personal data from our databases before we sell the entire database to data brokers on Jan 5 2024.”
The emails include a link to a Tor extortion site that currently lists the stolen data for approximately 4,674,000 people, including their names, Social Security Numbers, dates of birth, and information about hospital visits.
The website contains data added between October 19th and December 24th, 2023, allowing visitors to pay $50 to delete the data record or $3 to view it.
BleepingComputer has determined that the website has approximately 4,674,000 data records. However, it is unclear if any are duplicates.
Integris Health is aware of the emails sent to patients and has updated its security notice to warn recipients not to respond, contact the sender, or click on any of the links in the email.
While it is not known who is behind the attack on Integris Health, similar emails were sent to Fred Hutchinson Cancer Center (Fred Hutch) patients after the Hunters International ransomware gang breached the hospital.
The Fred Hutch emails also allowed patients to visit a dark website and delete their data by paying $50, making it likely that the same ransomware attack is behind the attack on Integris Health.
As threat actors can use the exposed data to conduct identity theft, some patients may be tempted to pay to delete the data.
However, as previous extortion demands have shown, paying a ransom does not always lead to the actual deletion of data.
Furthermore, once you pay a ransom, the threat actors know you are concerned about the data and may attempt to extort you further.