Corporate amnesia Classaction lawsuit criticizes INTEGRIS Health cyberattack response
pThe hospital system changed digital security providers last fall but officials have declined to say if the hack was relatedppSeveral lawsuits have been filed against INTEGRIS Health the largest notforprofit Oklahomaowned health system in the state after a hacker claims to have obtained names dates of birth Social Security numbers and contact and demographic information from more than 22 million patients during a November cyberattackppMeanwhile a separate health care system that serves northeast Oklahoma suffered a cyberattack within the same week and lawmakers are proposing legislation that would require hospitals to notify the Attorney Generals Office after data breaches occurppAlthough INTEGRIS Healths leadership believes their attack occurred Nov 28 impacted patients were not notified of the breach until the bad actor emailed people on Christmas Eve seeking payment in exchange for deletion of their personal health informationppINTEGRIS Health is Edmonds largest private employer and operates the citys largest hospital Several people whose families apparently had their personal information stolen declined to speak publicly about the data breach for fear of reprisal by the hacker although each expressed frustration with INTEGRIS for the apparent delay in notifying patients about the breachppOne Edmond resident affected by the data breach who agreed to speak with NonDoc on the condition of anonymity said the hacker emailed him Dec 24 with his name Social Security number phone number and address INTEGRIS Health notified him of the attack Jan 5 about 38 days after the breach occurred and 12 days after the hacker emailed patients By that time news outlets had already reported the hack publiclyppThey breached in November the bad guys let me know in December and I dont hear anything from INTEGRIS until the start of the new year the man told NonDoc on the condition of anonymity It appears to me that INTEGRIS couldnt organize a twocar funeralppINTEGRIS Health has offered 24 months of free credit monitoring to patients impacted by the data breachppThe notion of giving someone free credit monitoring for two years after knowing they have been hacked for nearly two months seems like a halfassed gesture to help you the INTEGRIS patient saidppINTEGRIS Health communities in Oklahomapp Ada
Altus
Antlers
Atoka
Blackwell
Chandler
Cherokee
Cheyenne
Chickasha
Clinton
Coalgate
Del City
Duncan
Edmond
Elk City
El Reno
Enid
Grove
Hennessey
Hinton
Hobart
Hugo
Kingfisher
Lawton
Mangum
Medford
Miami
Moore
Newcastle
Norman
Okeene
Oklahoma City
Perry
Ponca City
Purcell
Sayre
Seminole
Stillwater
Stroud
Vinita
Watonga
Waynoka
Waurika
Weatherford
Woodward
YukonppInitially 11 separate classaction lawsuits were filed against INTEGRIS Health in the US District Court for the Western District of Oklahoma In the latest court filings Timothy DeGiusti chief US district judge consolidated each case under Zinck et al v INTEGRIS Health IncppOwing to the sheer amount of classmembers involved in the case the court has found some potential conflictofinterests involving its law clerks The mother of one law clerk assigned to the case is a class member while two other law clerks in the courts chambers are class members themselves DeGiusti wrote in a Jan 31 orderppIf any party of the case files an objection against those law clerks by 5 pm Monday Feb 5 the court will find a conflictfree law clerk from another judge in the Western District If no objections are filed those law clerks will continue on the caseppAdditionally there are jurisdictional concerns under the Class Action Fairness Act CAFA vests federal courts with jurisdiction over putative class actions where the amount in controversy exceeds 5 million in the aggregate and there is minimal diversity between the partiesppAmanda Harvey counsel for INTEGRIS stated that based on preliminary calculations there are approximately 2285646 INTEGRIS patients impacted by the data breach Of those patients Ms Harvey stated it is currently believed that approximately 90 percent are Oklahoma residents DeGiusti wrote in the Jan 31 orderppTo address the issues under CAFA DeGiusti ordered Harvey to file a notice with the court by Feb 13 in which counsel shall set forth INTEGRISs most recent interpretation of the figures regarding residency of putative class members as discussed during the status conferenceppBrooke Cayot a communications manager with INTEGRIS Health provided a statement directing impacted patients to the companys website for further informationppThe privacy confidentiality and security of our patients personal information are top priorities for INTEGRIS Health As we work with thirdparty specialists to investigate this matter and determine the scope of affected data and to whom that data relates we are providing the latest information for patients and the public here Cayot wrote As we confirm affected individuals we are reaching out to them to provide notification and support including 24 months of access to free credit monitoring and identity protection services As our investigation into this matter is ongoing we are unable to provide additional information at this timeppINTEGRIS Health representatives have largely declined to answer specific questions about the situation but Cayot confirmed the FBI is involved in an ongoing investigationppWe are unable to answer some of the below questions as we continue to work with thirdparty specialists as well as the FBI to complete the investigation Cayot said INTEGRIS Health takes the security of our patients information seriously Our security team regularly consults with industry experts on the latest protections and safeguards available to thwart illegal activityppWe understand the uncertainty and concerns that the data breach has caused our community It is an unfortunate reality of doing business today that new threats continuously emerge in an attempt to disrupt the care we provide and impact the trust of those who rely upon us in their time of needppSometime in fall 2023 INTEGRIS Health changed its software security provider from VMWare to Citrix However the health system has since switched back to VMWare temporarilyppWe did move to Citrix in the fall Cayot said However we moved temporarily back to VMwareppComplications related to the switch to Citrix last fall allegedly caused an array of problems including at least one weekend during which nurses and doctors struggled to access certain patient datappAsked whether the changes in software security systems is believed to be related to the data breach Cayot declined to answerppJonathan Rule the chief hospital executive of INTEGRIS Health Edmond spoke on the hospitals growth and expanding workforce needs during a Zoom presentation at an Edmond Economic Development Authority meeting Jan 16 but he did not address the data breach INTEGRIS Health is the fourth largest employer in Edmond following Edmond Public Schools the University of Central Oklahoma and the City of EdmondppWe said were going to grow with Edmond and weve done that Were now the largest private employer in the city Rule said As we add additional clinics and as we continue to operationalize the rest of our expansion I fully anticipate that well probably move into that number three spot here in the next three to five yearsppAround the same time as the INTEGRIS Health data breach Ardent Health Services the parent company of the Hillcrest Healthcare System which serves northeast Oklahoma endured a cyberattack of its own Although Ardent announced its breach within a week of it occurring patients whose data had been breached were not contacted directly by the company for nearly two months according to a timeline of statements on the Ardent Health websiteppIn a Nov 27 press release Ardent Health Services announced it became aware of a cybersecurity incident that occurred Nov 23 five days before the INTEGRIS Health breachppIn response Ardent Health Services informed law enforcement of the incident and took its network offline suspending all user access to its information technology applications including corporate servers Epic software internet and clinical programs according to the press release The health care provider restored access to Epic its electronic health record provider on Dec 6 according to another press releaseppIn a Jan 22 press release Ardent Health Services said its investigation into the issue revealed that an unauthorized actor extracted copies of documents that include certain individuals personal information That information includes addresses phone numbers Social Security numbers email addresses medical treatment information health insurance and claims information as well as Medicaid and Medicare numbersppOn Jan 22 2024 Ardent Health Services and its affiliated entities began mailing letters to individuals whose information may have been involved in the incident the updated statement reads Our data review process is ongoing and will take time to complete As we identify additional impacted individuals we will mail letters to them in accordance with all applicable lawsppAsked whether there is any indication the Ardent cyberattack and INTEGRIS cyberattack could be related Brittany Parmley a spokeswoman for Hillcrest said that question should be directed to law enforcementppAsked what agency is investigating the Hillcrest data breach Parmley replied that Ardent would not share that informationppEverything that we have shared is available online Parmley saidppBoth INTEGRIS Health and Ardent Health Services use Epic as their electronic health record provider However Cayot said INTEGRIS Health officials could not consider whether the two November cyberattacks were linked in any way emphasizing that the investigation is still ongoingppWe are unable to speculate on whether the Hillcrest cyberattack was related INTEGRIS Healths investigation and review of potentially impacted data to determine the type of information and to whom it relates is ongoing Cayot said Feb 5 We have emailed letters to those with an email on file and additional letters will begin mailing later this weekppFollow NonDocs Edmond coverageppArchives Twitter Edmond EmailppWilliam Federman an attorney representing the group of INTEGRIS patients affected by the data breach said the company has not communicated effectively with its customersppINTEGRIS has not been forthcoming with many details It appears there was a ransomware attack It appears the ransomware attack was successful to infiltrate INTEGRIS cyber environment It further appears that the ransomware attackers gained access to the confidential health and personal information of INTEGRIS employees and potentially patients Federman said Were fairly confident that information was exfiltrated because all of the lawsuit class members have been receiving essentially blackmail emails from the bad actor wanting to be paid offppAfter the perpetrator emailed patients Dec 24 INTEGRIS Health posted a statement to its website that day notifying patients of the cyberattackppRegrettably we are writing to inform you of a cyber event that may have impacted our patient data Specifically we became aware of unauthorized access to a certain portion of our network that stores patient information the Dec 24 statement said Upon becoming aware of the activity INTEGRIS Health promptly took steps to secure the environment and commenced an investigation into the nature and scope of the activity There was no interruption to any services as a result of this event and INTEGRIS Health remains fully operationalppAfter allegedly failing to receive extorted payments from INTEGRIS Health itself the hacker attempted to extort patients Federman said by giving them until Jan 5 to pay 50 for their stolen personal health information If they failed to make the payment the hacker threatened it would sell the entire database to dark web data brokers on Jan 5 2024 the litigation complaint statesppIt is unclear whether patient data was sold Jan 5ppIn their email to patients the hacker said they contacted INTEGRIS after the breach but INTEGRIS refused to resolve the issue according to the complaintppINTEGRIS Healths updated statement said an investigation was launched after becoming aware of the suspicious activityppThe investigation determined that certain files may have been accessed by an unauthorized party on Nov 28 2023 INTEGRIS Health initiated a review of the potentially accessed data to determine the type of information and to whom it related which is currently underway the statement said As that review was ongoing on Dec 24 2023 INTEGRIS Health learned that patients began receiving communications from a group claiming responsibility for the unauthorized accessppThe company ecnouraged anyone receiving such communications to NOT respond or contact the sender or follow any of the instructions including accessing any linksppFederman claims INTEGRIS Health put its patients at risk by failing to take action against the cyberattack in a timely mannerppIts very troubling that INTEGRIS is not ahead of the game here and seems to be behind the eight ball INTEGRIS should have done something to lock down its system to prevent the problem from happening Once the problem happened they should have advised the affected patients immediately so they could have taken action Federman said Its essentially been silence from INTEGRIS You just cant be the ostrich with your head in the ground You have to be proactive Youre failing your customers your patientsppFederman said he expects INTEGRIS Health to stiff arm the class members of his lawsuit as they continue to seek more information about the attack and its impactppIt doesnt behoove anyone the class members INTEGRIS nobody for INTEGRIS to simply keep a secret here Federman said Thats what theyre doing Playing corporate amnesiappThe civil complaint filed Dec 28 lists five causes of action Negligence negligence per se breach of implied contract unjust enrichment and declaratory and injunctive reliefppPrior to the Oklahoma Legislature gaveling in for its 2024 regular session Feb 5 Sen Brent Howard RAltus filed legislation in December that would modify notice requirements for data breaches of certain security systems The bill would add new definitions for reasonable safeguards and restricted informationppSenate Bill 1337 if passed would require entities or individuals to provide notice to the attorney general of such breach without unreasonable delay but in no event more than 60 days after discovery of the breach Currently Oklahomas existing Security Breach Notification Act provides no time frame for when the attorney general should be notified of such a breachppWhile the Security Breach Notification Act already allows the attorney general or a district attorney exclusive authority to bring action and obtain either actual damages or a civil penalty not to exceed 150000 per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation Howards legislation would also allow the attorney general or a district attorney to seek actual damages and civil penalty equaling 150000 or 2000 per individual affected per breach whichever is greater The bill also adds hospitals as specific entities to be in compliance with provisions of the actppAsked if SB 1337 was filed in response to the recent data breaches at hospitals Howard said the bill is part of an initiative that began in the Attorney Generals Office back in August or SeptemberppThis one is something that the Attorney Generals Office has been working on and Ive kind of helped just shepherd it through Howard said But yeah its to put that within the AGs office and overview within thereppPhil Bacharach communications director for Attorney General Gentner Drummond called the bill a commonsense proposalppBusinesses and consumers all too often find themselves victimized by hackers and other unscrupulous actors and without recourse for prosecution Bacharach said SB 1337 would help ensure bad actors are held accountable for data breaches Its a commonsense probusiness and proconsumer measurepp
Name
pp
Email address
pp
ZIP code
pp
p
Altus
Antlers
Atoka
Blackwell
Chandler
Cherokee
Cheyenne
Chickasha
Clinton
Coalgate
Del City
Duncan
Edmond
Elk City
El Reno
Enid
Grove
Hennessey
Hinton
Hobart
Hugo
Kingfisher
Lawton
Mangum
Medford
Miami
Moore
Newcastle
Norman
Okeene
Oklahoma City
Perry
Ponca City
Purcell
Sayre
Seminole
Stillwater
Stroud
Vinita
Watonga
Waynoka
Waurika
Weatherford
Woodward
YukonppInitially 11 separate classaction lawsuits were filed against INTEGRIS Health in the US District Court for the Western District of Oklahoma In the latest court filings Timothy DeGiusti chief US district judge consolidated each case under Zinck et al v INTEGRIS Health IncppOwing to the sheer amount of classmembers involved in the case the court has found some potential conflictofinterests involving its law clerks The mother of one law clerk assigned to the case is a class member while two other law clerks in the courts chambers are class members themselves DeGiusti wrote in a Jan 31 orderppIf any party of the case files an objection against those law clerks by 5 pm Monday Feb 5 the court will find a conflictfree law clerk from another judge in the Western District If no objections are filed those law clerks will continue on the caseppAdditionally there are jurisdictional concerns under the Class Action Fairness Act CAFA vests federal courts with jurisdiction over putative class actions where the amount in controversy exceeds 5 million in the aggregate and there is minimal diversity between the partiesppAmanda Harvey counsel for INTEGRIS stated that based on preliminary calculations there are approximately 2285646 INTEGRIS patients impacted by the data breach Of those patients Ms Harvey stated it is currently believed that approximately 90 percent are Oklahoma residents DeGiusti wrote in the Jan 31 orderppTo address the issues under CAFA DeGiusti ordered Harvey to file a notice with the court by Feb 13 in which counsel shall set forth INTEGRISs most recent interpretation of the figures regarding residency of putative class members as discussed during the status conferenceppBrooke Cayot a communications manager with INTEGRIS Health provided a statement directing impacted patients to the companys website for further informationppThe privacy confidentiality and security of our patients personal information are top priorities for INTEGRIS Health As we work with thirdparty specialists to investigate this matter and determine the scope of affected data and to whom that data relates we are providing the latest information for patients and the public here Cayot wrote As we confirm affected individuals we are reaching out to them to provide notification and support including 24 months of access to free credit monitoring and identity protection services As our investigation into this matter is ongoing we are unable to provide additional information at this timeppINTEGRIS Health representatives have largely declined to answer specific questions about the situation but Cayot confirmed the FBI is involved in an ongoing investigationppWe are unable to answer some of the below questions as we continue to work with thirdparty specialists as well as the FBI to complete the investigation Cayot said INTEGRIS Health takes the security of our patients information seriously Our security team regularly consults with industry experts on the latest protections and safeguards available to thwart illegal activityppWe understand the uncertainty and concerns that the data breach has caused our community It is an unfortunate reality of doing business today that new threats continuously emerge in an attempt to disrupt the care we provide and impact the trust of those who rely upon us in their time of needppSometime in fall 2023 INTEGRIS Health changed its software security provider from VMWare to Citrix However the health system has since switched back to VMWare temporarilyppWe did move to Citrix in the fall Cayot said However we moved temporarily back to VMwareppComplications related to the switch to Citrix last fall allegedly caused an array of problems including at least one weekend during which nurses and doctors struggled to access certain patient datappAsked whether the changes in software security systems is believed to be related to the data breach Cayot declined to answerppJonathan Rule the chief hospital executive of INTEGRIS Health Edmond spoke on the hospitals growth and expanding workforce needs during a Zoom presentation at an Edmond Economic Development Authority meeting Jan 16 but he did not address the data breach INTEGRIS Health is the fourth largest employer in Edmond following Edmond Public Schools the University of Central Oklahoma and the City of EdmondppWe said were going to grow with Edmond and weve done that Were now the largest private employer in the city Rule said As we add additional clinics and as we continue to operationalize the rest of our expansion I fully anticipate that well probably move into that number three spot here in the next three to five yearsppAround the same time as the INTEGRIS Health data breach Ardent Health Services the parent company of the Hillcrest Healthcare System which serves northeast Oklahoma endured a cyberattack of its own Although Ardent announced its breach within a week of it occurring patients whose data had been breached were not contacted directly by the company for nearly two months according to a timeline of statements on the Ardent Health websiteppIn a Nov 27 press release Ardent Health Services announced it became aware of a cybersecurity incident that occurred Nov 23 five days before the INTEGRIS Health breachppIn response Ardent Health Services informed law enforcement of the incident and took its network offline suspending all user access to its information technology applications including corporate servers Epic software internet and clinical programs according to the press release The health care provider restored access to Epic its electronic health record provider on Dec 6 according to another press releaseppIn a Jan 22 press release Ardent Health Services said its investigation into the issue revealed that an unauthorized actor extracted copies of documents that include certain individuals personal information That information includes addresses phone numbers Social Security numbers email addresses medical treatment information health insurance and claims information as well as Medicaid and Medicare numbersppOn Jan 22 2024 Ardent Health Services and its affiliated entities began mailing letters to individuals whose information may have been involved in the incident the updated statement reads Our data review process is ongoing and will take time to complete As we identify additional impacted individuals we will mail letters to them in accordance with all applicable lawsppAsked whether there is any indication the Ardent cyberattack and INTEGRIS cyberattack could be related Brittany Parmley a spokeswoman for Hillcrest said that question should be directed to law enforcementppAsked what agency is investigating the Hillcrest data breach Parmley replied that Ardent would not share that informationppEverything that we have shared is available online Parmley saidppBoth INTEGRIS Health and Ardent Health Services use Epic as their electronic health record provider However Cayot said INTEGRIS Health officials could not consider whether the two November cyberattacks were linked in any way emphasizing that the investigation is still ongoingppWe are unable to speculate on whether the Hillcrest cyberattack was related INTEGRIS Healths investigation and review of potentially impacted data to determine the type of information and to whom it relates is ongoing Cayot said Feb 5 We have emailed letters to those with an email on file and additional letters will begin mailing later this weekppFollow NonDocs Edmond coverageppArchives Twitter Edmond EmailppWilliam Federman an attorney representing the group of INTEGRIS patients affected by the data breach said the company has not communicated effectively with its customersppINTEGRIS has not been forthcoming with many details It appears there was a ransomware attack It appears the ransomware attack was successful to infiltrate INTEGRIS cyber environment It further appears that the ransomware attackers gained access to the confidential health and personal information of INTEGRIS employees and potentially patients Federman said Were fairly confident that information was exfiltrated because all of the lawsuit class members have been receiving essentially blackmail emails from the bad actor wanting to be paid offppAfter the perpetrator emailed patients Dec 24 INTEGRIS Health posted a statement to its website that day notifying patients of the cyberattackppRegrettably we are writing to inform you of a cyber event that may have impacted our patient data Specifically we became aware of unauthorized access to a certain portion of our network that stores patient information the Dec 24 statement said Upon becoming aware of the activity INTEGRIS Health promptly took steps to secure the environment and commenced an investigation into the nature and scope of the activity There was no interruption to any services as a result of this event and INTEGRIS Health remains fully operationalppAfter allegedly failing to receive extorted payments from INTEGRIS Health itself the hacker attempted to extort patients Federman said by giving them until Jan 5 to pay 50 for their stolen personal health information If they failed to make the payment the hacker threatened it would sell the entire database to dark web data brokers on Jan 5 2024 the litigation complaint statesppIt is unclear whether patient data was sold Jan 5ppIn their email to patients the hacker said they contacted INTEGRIS after the breach but INTEGRIS refused to resolve the issue according to the complaintppINTEGRIS Healths updated statement said an investigation was launched after becoming aware of the suspicious activityppThe investigation determined that certain files may have been accessed by an unauthorized party on Nov 28 2023 INTEGRIS Health initiated a review of the potentially accessed data to determine the type of information and to whom it related which is currently underway the statement said As that review was ongoing on Dec 24 2023 INTEGRIS Health learned that patients began receiving communications from a group claiming responsibility for the unauthorized accessppThe company ecnouraged anyone receiving such communications to NOT respond or contact the sender or follow any of the instructions including accessing any linksppFederman claims INTEGRIS Health put its patients at risk by failing to take action against the cyberattack in a timely mannerppIts very troubling that INTEGRIS is not ahead of the game here and seems to be behind the eight ball INTEGRIS should have done something to lock down its system to prevent the problem from happening Once the problem happened they should have advised the affected patients immediately so they could have taken action Federman said Its essentially been silence from INTEGRIS You just cant be the ostrich with your head in the ground You have to be proactive Youre failing your customers your patientsppFederman said he expects INTEGRIS Health to stiff arm the class members of his lawsuit as they continue to seek more information about the attack and its impactppIt doesnt behoove anyone the class members INTEGRIS nobody for INTEGRIS to simply keep a secret here Federman said Thats what theyre doing Playing corporate amnesiappThe civil complaint filed Dec 28 lists five causes of action Negligence negligence per se breach of implied contract unjust enrichment and declaratory and injunctive reliefppPrior to the Oklahoma Legislature gaveling in for its 2024 regular session Feb 5 Sen Brent Howard RAltus filed legislation in December that would modify notice requirements for data breaches of certain security systems The bill would add new definitions for reasonable safeguards and restricted informationppSenate Bill 1337 if passed would require entities or individuals to provide notice to the attorney general of such breach without unreasonable delay but in no event more than 60 days after discovery of the breach Currently Oklahomas existing Security Breach Notification Act provides no time frame for when the attorney general should be notified of such a breachppWhile the Security Breach Notification Act already allows the attorney general or a district attorney exclusive authority to bring action and obtain either actual damages or a civil penalty not to exceed 150000 per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation Howards legislation would also allow the attorney general or a district attorney to seek actual damages and civil penalty equaling 150000 or 2000 per individual affected per breach whichever is greater The bill also adds hospitals as specific entities to be in compliance with provisions of the actppAsked if SB 1337 was filed in response to the recent data breaches at hospitals Howard said the bill is part of an initiative that began in the Attorney Generals Office back in August or SeptemberppThis one is something that the Attorney Generals Office has been working on and Ive kind of helped just shepherd it through Howard said But yeah its to put that within the AGs office and overview within thereppPhil Bacharach communications director for Attorney General Gentner Drummond called the bill a commonsense proposalppBusinesses and consumers all too often find themselves victimized by hackers and other unscrupulous actors and without recourse for prosecution Bacharach said SB 1337 would help ensure bad actors are held accountable for data breaches Its a commonsense probusiness and proconsumer measurepp
Name
pp
Email address
pp
ZIP code
pp
p