Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Hackers Try to Extort $50 From Child; 2 Million More at Risk
Oklahoma Integris Health Faces Multiple Patient Privacy Lawsuits in 2023 BreachA hack at Integris Health in November affected an estimated 2.4 million people, but the fallout from the data breach didn't end there. At least one child, M.J. - and his Oklahoma mom Teresa Johnston - said cybercriminals used the stolen data to try to extort money from them.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
Johnston opened an email in December from cybercriminals demanding that she and her child pay a $50 ransom before Jan. 5, 2024, or M.J.'s data would be sold to data brokers on the dark web.
Johnston claims the extortion email, which displayed M.J.'s personal identifiable information, including his Social Security number as proof, has caused her anxiety, loss of sleep and "a state of persistent worry."
Her biggest fear, according to one of nearly a dozen proposed class action lawsuits filed against Integris Health in the wake of the breach, is that the PII of young M.J. and others could be used in identity scams and is "now in the hands of cybercriminals who will use their PII for nefarious purposes for the rest of their lives."
Johnston filed the lawsuit in an Oklahoma federal court on Jan. 19.
Integris Health, Oklahoma's largest not-for-profit healthcare system - which includes hospitals, specialty clinics and family care practices - is facing many similar lawsuits related to the hack. The healthcare group reported a network server breach to federal regulators on Jan. 26 and said it had affected 2.38 million people.
Many of the lawsuits filed so far - including the one filed by Johnston - seek financial damages and an injunctive order for Oklahoma City-based Integris to improve its data security practices. They allege that the plaintiffs were among an unspecified number of patients contacted by cybercriminals demanding ransom payments in exchange for removing individuals' information from a dark web marketplace.
Johnston alleged that as a result of Integris' "insufficient" data security, cybercriminals had easily infiltrated its inadequately protected computer systems and stolen the personal identifiable information of M.J. and the other patients.
From around Dec. 24 through Dec. 27, plaintiffs and class members began receiving emails had been compromised in November, the lawsuit alleges.
"Cybercriminals explicitly stated to plaintiffs and class members in the email, 'if you are receiving this message, your data have been compromised.'" In this email, cybercriminals said that the compromised data includes highly sensitive information, such as Social Security numbers, birthdates, addresses, phone numbers, insurance information and employer information.
"Cybercriminals also threatened plaintiffs and class members that their 'data will sell on the darknet and be used for fraud and identity theft,'" the lawsuit alleges. "What is perhaps most disturbing, however, is that in the email, cybercriminals provided M.J.'s address, telephone number, date of birth, and Social Security number as proof that it had indeed stolen M.J.'s PII from Integris," Johnston's lawsuit alleges.
Cybercriminals then extorted plaintiffs and the class by giving them until Jan. 5 to click on a dark web link - a Tor extortion site - contained in the email and pay $50 for their stolen information, the complaint said. "If plaintiffs and the class failed to do so, cybercriminals threatened it would sell the entire database to data brokers on Jan. 5."
The lawsuit alleges that the cybercriminals claimed they had contacted Integris after the hack, "but Integris refused to resolve this issue."
"This disturbing email from the cybercriminals makes it clear that M.J. and the class are at an imminent risk of fraud and identity theft. It was not until plaintiffs and the class were being extorted by cybercriminals that Integris made a public statement regarding the data breach," Johnston's lawsuit alleges.
Breach Details
Integris, in a notice updated on its website on Feb. 6, acknowledged that it was aware that some patients were being contacted directly by the hackers.
"As the review was ongoing, on Dec. 24, Integris learned that some patients began receiving communications from a group claiming responsibility for the unauthorized access. We encourage anyone receiving such communications to NOT respond to or contact the sender, or follow any of the instructions, including accessing any links," Integris said.
Integris' notice said the entity had discovered potential unauthorized activity on certain systems but didn't mention the date of that discovery.
"Upon becoming aware of the suspicious activity, Integris Health promptly took steps to secure the environment and commenced an investigation into the nature and scope of the activity. The investigation determined that certain files were accessed or acquired by an unauthorized party on Nov. 28." Integris said it had recently completed "a thorough review" of the affected data to determine the type of information and to whom it related.
Integris did not immediately respond to Information Security Media Group's request for additional details about the incident.
Attorneys representing Johnston and her child M.J. also did not immediately respond to ISMG's request for comment.
Troubling Trend
Hackers directly demanding ransoms from patients affected by health data breaches is a troubling evolution of these attacks, experts say.
In another recent incident, cybercriminals used the threat of swatting as a way to extort money from cancer patients of the Seattle-based Fred Hutchinson Cancer Center, which was hit in November with a cyberattack that affected about 1 million individuals (see: Cybercriminals Bully Cancer Patients With Swatting Threat).
"Cybercrime gangs directly contacting patients whose records have been purloined is increasingly common," said Mike Hamilton, founder and CISO of security firm Critical Insight.
"Direct victim contact is becoming institutionalized as one variant of 'triple extortion,' along with ransomware and stolen records held in abeyance," he said. "Along with a revenue stream from terrified patients, the tactic seems to be designed to create enough mental anguish in patients that a class action suit is guaranteed, providing that much more incentive to pay the extortion demand," he said.
While Integris has not publicly identified the cybercriminal gang that claimed credit for the attack, several groups - including LockBit, Clop, Alphv and others - have adopted the strategy of directly extorting patients, Hamilton said.
"Because this is becoming a trend, healthcare entities should assume that records theft will be accompanied by this tactic - and have policies and communication plans in place to address impacted patients with information on whether or not to pay the extortion demand, whether to engage with law enforcement, and how the entity will limit the impact of the disclosed information," he said.
Also, he said, because this extortion tactic amplifies the threat of further regulatory and civil action, the hospital should review the statutory underpinnings that allow for class action.
"Specifically, limiting the ability to sue a hospital every time records are disclosed would remove this perverse incentive and save our healthcare sector from further financial distress."
Hamilton also said that the U.S Department of Health and Human Services should plan for how to implement the section of the national cybersecurity strategy that calls for the devaluation of records. "For example, limiting which fields should not be stored with others, such that multiple databases would need to be recombined to fully identify these victims," he said.