Integris, St. Anthony patients hacked, deceived, kept in the dark

by Dave Moore, CISSP

01/14/2024

How would you like it if you woke up one day, checked your email, and saw this:

“Integris Health was breached on November 2023. The data of over 2 million patients was compromised, including SSN, DOB, address, phone, insurance information, and employer information. This data will sell on the darknet and be used for fraud and identity theft.”

“If you are receiving this message, your data have been compromised. We provide a sample as proof,” and then, there it is: the proof. The senders of the scary email list your address, phone number, date of birth, and Social Security number.

This is no phony, cheesy scam trying to fool you; it’s the real deal. You have been hacked.

Stunned, you instinctively turn on the TV to see if somehow there’s some information that can help you, and there it is, again. On the TV screen you see your email, the exact hacker email you received.

The name and personal details have been fuzzed out, but by golly, there it is: a local news channel is showing the email you received, and reporting that thousands and thousands of people have received the same message from the same Internet bad guys, with the same promise: pay us some money and we will remove your information from the list. Don’t pay, and you will become a defrauded identity theft victim.

How did this happen? Integris knew about the breach on November 28, but it wasn’t until after the data criminals sent out their extortion emails on December 24 that Integris decided to let the outside world know what had happened. Even then, all they did was post a vague, unhelpful notice on their website, and haven’t done anything since then to actually help the victims of their negligence.

Did I say “negligence?” In my professional opinion, that’s what we are seeing. That is also the opinion of multiple class-action lawsuits that have been filed over the debacle.

But wait, there’s more! Imagine a few days later, December 28, you get a letter from some weird company you’ve never heard of called Navvis, notifying you of a “data event.”

“On July 25, 2023,” the notice reads, “Navvis… became aware of suspicious activity on its computer network… Navvis determined that, between July 12, 2023 – July 25, 2023, it was a victim of a cyber-attack, and a threat actor had access to certain systems that stored personal and protected health information,” which included “an individual’s name, date of birth, Medicaid/Medicare ID number, health plan information, medical treatment information, medical record number, patient account number, case identification number, provider and doctor information and health record information, and in some circumstances, Social Security number.”

Your mind starts racing. “Threat actor,” you think. “What’s a ‘threat actor?’ Is it a Hollywood thing? What does this have to do with me? Who are these ‘threat actors?’ Are they criminals? If Internet criminals hacked Navvis and stole people’s private health information six months ago, why is Navvis just now getting around to telling anyone?”

Again, you turn on the TV searching for answers, and again, there’s a local news story showing a picture of the same letter you are holding in your hand, only the news people are talking about SSM Health, which runs another hospital you’ve visited in the past: St. Anthony’s in Oklahoma City.

Navvis, it turns out, partners with SSM St. Anthony to provide “health management services.” Navvis has been hacked, putting the private data of millions of people at risk, which, in your case means SSM Health and St. Anthony have been hacked.

And then, the gravitas of the situation sinks in: that means you, too, have also been hacked, again.

Navvis and SSM Health then engage in the same old song and dance routine that people afraid of getting in trouble do every day: deny, deflect, distract, obfuscate, confuse, and by all means, blame somebody else. Never accept responsibility for having done something wrong.

And, just like Integris, they drag out the same old insulting offer of “free credit monitoring and identity protection services,” which is a bit like offering someone diagnosed with terminal cancer a free health checkup. For shame.