Cyber Incident Victim: Integris Health
Date:
Nov 2023
Location:
United States of America
Summary
A healthcare provider experienced a cyberattack resulting in unauthorized access to patient data, which included names, Social Security numbers, dates of birth, contact details, demographic information, insurance details, and employer records. The attackers subsequently sent extortion emails to affected individuals, demanding payment to prevent the sale of their stolen information and directing recipients to a dark web portal. The organization confirmed the breach, secured its systems, and initiated an investigation while advising patients not to engage with the threat actors. The incident exposed sensitive personal information, prompting notifications to potentially impacted individuals and guidance on protective measures against identity theft and fraud.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
INTEGRIS Health, Oklahoma's largest non-profit healthcare network operating hospitals, clinics, and urgent care facilities statewide, experienced a cybersecurity incident involving unauthorized access to patient data. The organization detected suspicious activity in November 2023, prompting immediate measures to secure its systems and initiate an investigation. Forensic analysis confirmed that an unauthorized party potentially accessed files on November 28, 2023, though the full scope remained under review. The compromised data included sensitive personal information such as names, Social Security numbers, dates of birth, contact details, demographic information, insurance records, and employer data. INTEGRIS Health began notifying potentially affected individuals about the breach while continuing to assess the extent of the exposure, emphasizing that information types varied across individuals.
On December 24, 2023, patients started receiving extortion emails from actors claiming responsibility for the attack, demanding payments to prevent the sale of stolen data. These communications directed recipients to a Tor-based portal where hackers offered to delete records for $50 or provide access for $3, threatening to sell the entire database to brokers by January 5, 2024. The threat actors asserted they had exfiltrated personal information belonging to over two million patients, a claim partially corroborated by recipients who verified the accuracy of their data in the extortion messages. INTEGRIS Health publicly advised against engaging with the senders, accessing embedded links, or complying with payment demands, instead directing affected individuals to credit monitoring resources and identity theft protections. The healthcare provider established a dedicated email channel ([email protected]) for inquiries and outlined specific protective measures, including guidance on obtaining free credit reports, implementing fraud alerts, and initiating credit freezes through major bureaus like Equifax, Experian, and TransUnion. The incident highlighted risks of secondary extortion attempts and potential long-term misuse of exposed personal information.