INTEGRIS Health cyberattack
INTEGRIS Health Edmond Hospital is at 4801 INTEGRIS Pkwy. (Joe Tomlinson)

Several lawsuits have been filed against INTEGRIS Health, the largest not-for-profit Oklahoma-owned health system in the state, after a hacker claims to have obtained names, dates of birth, Social Security numbers, and contact and demographic information from more than 2.2 million patients during a November cyberattack.

Meanwhile, a separate health care system that serves northeast Oklahoma suffered a cyberattack within the same week, and lawmakers are proposing legislation that would require hospitals to notify the Attorney General’s Office after data breaches occur.

Although INTEGRIS Health’s leadership believes their attack occurred Nov. 28, impacted patients were not notified of the breach until the bad actor emailed people on Christmas Eve seeking payment in exchange for deletion of their personal health information.

INTEGRIS Health is Edmond’s largest private employer and operates the city’s largest hospital. Several people whose families apparently had their personal information stolen declined to speak publicly about the data breach for fear of reprisal by the hacker, although each expressed frustration with INTEGRIS for the apparent delay in notifying patients about the breach.

One Edmond resident affected by the data breach — who agreed to speak with NonDoc on the condition of anonymity — said the hacker emailed him Dec. 24 with his name, Social Security number, phone number and address. INTEGRIS Health notified him of the attack Jan. 5, about 38 days after the breach occurred and 12 days after the hacker emailed patients. By that time, news outlets had already reported the hack publicly.

“They breached in November, the bad guys let me know in December, and I don’t hear anything from INTEGRIS until the start of the new year?” the man told NonDoc on the condition of anonymity. “It appears to me that INTEGRIS couldn’t organize a two-car funeral.”

INTEGRIS Health has offered 24 months of free credit monitoring to patients impacted by the data breach.

“The notion of giving someone free credit monitoring for two years after knowing they have been hacked for nearly two months seems like a half-assed gesture to help you,” the INTEGRIS patient said.

INTEGRIS Health communities in Oklahoma:

• Ada
• Altus
• Antlers
• Atoka
• Blackwell
• Chandler
• Cherokee
• Cheyenne
• Chickasha
• Clinton
• Coalgate
• Del City
• Duncan
• Edmond
• Elk City
• El Reno
• Enid
• Grove
• Hennessey
• Hinton
• Hobart
• Hugo
• Kingfisher
• Lawton
• Mangum
• Medford
• Miami
• Moore
• Newcastle
• Norman
• Okeene
• Oklahoma City
• Perry
• Ponca City
• Purcell
• Sayre
• Seminole
• Stillwater
• Stroud
• Vinita
• Watonga
• Waynoka
• Waurika
• Weatherford
• Woodward
• Yukon

Initially, 11 separate class-action lawsuits were filed against INTEGRIS Health in the U.S. District Court for the Western District of Oklahoma. In the latest court filings, Timothy DeGiusti, chief U.S. district judge, consolidated each case under Zinck et al v. INTEGRIS Health Inc.

Owing to the sheer amount of class-members involved in the case, the court has found some potential conflict-of-interests involving its law clerks. The mother of one law clerk assigned to the case is a class member, while two other law clerks in the court’s chambers are class members themselves, DeGiusti wrote in a Jan. 31 order.

If any party of the case files an objection against those law clerks by 5 p.m. Monday, Feb. 5, the court will find a “conflict-free law clerk from another judge in the Western District.” If no objections are filed, those law clerks will continue on the case.

Additionally, there are jurisdictional concerns under the Class Action Fairness Act. CAFA vests federal courts with jurisdiction over putative class actions where the amount in controversy exceeds $5 million in the aggregate and there is minimal diversity between the parties.

“Amanda Harvey, counsel for INTEGRIS, stated that, based on preliminary calculations, there are approximately 2,285,646 INTEGRIS patients impacted by the data breach. Of those patients, Ms. Harvey stated it is currently believed that approximately 90 percent are Oklahoma residents,” DeGiusti wrote in the Jan. 31 order.

To address the issues under CAFA, DeGiusti ordered Harvey to file a notice with the court by Feb. 13, “in which counsel shall set forth INTEGRIS’s most recent interpretation of the figures regarding residency of putative class members, as discussed during the status conference.”

Brooke Cayot, a communications manager with INTEGRIS Health, provided a statement directing impacted patients to the company’s website for further information.

“The privacy, confidentiality and security of our patients’ personal information are top priorities for INTEGRIS Health. As we work with third-party specialists to investigate this matter and determine the scope of affected data and to whom that data relates, we are providing the latest information for patients and the public here,” Cayot wrote. “As we confirm affected individuals, we are reaching out to them to provide notification and support, including 24 months of access to free credit monitoring and identity protection services. As our investigation into this matter is ongoing, we are unable to provide additional information at this time.”

INTEGRIS Health switched security providers in fall 2023

INTEGRIS Health cyberattack
INTEGRIS Health Edmond Hospital is at 4801 INTEGRIS Parkway. (Joe Tomlinson)

INTEGRIS Health representatives have largely declined to answer specific questions about the situation, but Cayot confirmed the FBI is involved in an ongoing investigation.

“We are unable to answer some of the below questions as we continue to work with third-party specialists, as well as the FBI, to complete the investigation,” Cayot said. “INTEGRIS Health takes the security of our patients’ information seriously. Our security team regularly consults with industry experts on the latest protections and safeguards available to thwart illegal activity.

“We understand the uncertainty and concerns that the data breach has caused our community. It is an unfortunate reality of doing business today that new threats continuously emerge in an attempt to disrupt the care we provide and impact the trust of those who rely upon us in their time of need.”

Sometime in fall 2023, INTEGRIS Health changed its software security provider from VMWare to Citrix. However, the health system has since switched back to VMWare “temporarily.”

“We did move to Citrix in the fall,” Cayot said. “However, we moved temporarily back to VMware.”

Complications related to the switch to Citrix last fall allegedly caused an array of problems, including at least one weekend during which nurses and doctors struggled to access certain patient data.

Asked whether the changes in software security systems is believed to be related to the data breach, Cayot declined to answer.

Jonathan Rule, the chief hospital executive of INTEGRIS Health Edmond, spoke on the hospital’s growth and expanding workforce needs during a Zoom presentation at an Edmond Economic Development Authority meeting Jan. 16, but he did not address the data breach. INTEGRIS Health is the fourth largest employer in Edmond, following Edmond Public Schools, the University of Central Oklahoma and the City of Edmond.

“We said we’re going to grow with Edmond, and we’ve done that. We’re now the largest private employer in the city,” Rule said. “As we add additional clinics and as we continue to operationalize the rest of our expansion, I fully anticipate that we’ll probably move into that number three spot here in the next three to five years.”

Ardent Health Services sustains separate November cyberattack

Hillcrest Medical Center is located at 1120 S. Utica Ave. in Tulsa, Oklahoma. (Tristan Loveless)

Around the same time as the INTEGRIS Health data breach, Ardent Health Services — the parent company of the Hillcrest Healthcare System, which serves northeast Oklahoma — endured a cyberattack of its own. Although Ardent announced its breach within a week of it occurring, patients whose data had been breached were not contacted directly by the company for nearly two months, according to a timeline of statements on the Ardent Health website.

In a Nov. 27 press release, Ardent Health Services announced it became aware of a “cybersecurity incident” that occurred Nov. 23, five days before the INTEGRIS Health breach.

In response, Ardent Health Services informed law enforcement of the incident and “took its network offline, suspending all user access to its information technology applications, including corporate servers, Epic software, internet and clinical programs,” according to the press release. The health care provider restored access to Epic, its electronic health record provider, on Dec. 6, according to another press release.

In a Jan. 22 press release, Ardent Health Services said its investigation into the issue “revealed that an unauthorized actor extracted copies of documents that include certain individuals’ personal information.” That information includes addresses, phone numbers, Social Security numbers, email addresses, medical treatment information, health insurance and claims information, as well as Medicaid and Medicare numbers.

“On Jan. 22, 2024, Ardent Health Services and its affiliated entities began mailing letters to individuals whose information may have been involved in the incident,” the updated statement reads. “Our data review process is ongoing and will take time to complete. As we identify additional impacted individuals, we will mail letters to them in accordance with all applicable laws.”

Asked whether there is any indication the Ardent cyberattack and INTEGRIS cyberattack could be related, Brittany Parmley, a spokeswoman for Hillcrest, said that question should be directed to law enforcement.

Asked what agency is investigating the Hillcrest data breach, Parmley replied that Ardent would not share that information.

“Everything that we have shared is available online,” Parmley said.

Both INTEGRIS Health and Ardent Health Services use Epic as their electronic health record provider. However, Cayot said INTEGRIS Health officials could not consider whether the two November cyberattacks were linked in any way, emphasizing that the investigation is still ongoing.

“We are unable to speculate on whether the Hillcrest cyberattack was related. INTEGRIS Health’s investigation and review of potentially impacted data to determine the type of information and to whom it relates is ongoing,” Cayot said Feb. 5. “We have emailed letters to those with an email on file and additional letters will begin mailing later this week.”

Follow NonDoc’s Edmond coverage

Archives | Twitter | Edmond Email

‘Playing corporate amnesia’

INTEGRIS Baptist Hospital is located at 330 Northwest Expressway in Oklahoma City. (Matt Patterson)

William Federman, an attorney representing the group of INTEGRIS patients affected by the data breach, said the company has not communicated effectively with its customers.

“INTEGRIS has not been forthcoming with many details. It appears there was a ransomware attack. It appears the ransomware attack was successful to infiltrate INTEGRIS’ cyber environment. It further appears that the ransomware attackers gained access to the confidential health and personal information of INTEGRIS’ employees and potentially patients,” Federman said. “We’re fairly confident that information was exfiltrated (…) because all of the (lawsuit) class members have been receiving essentially blackmail emails from the bad actor wanting to be paid off.”

After the perpetrator emailed patients Dec. 24, INTEGRIS Health posted a statement to its website that day notifying patients of the cyberattack.

“Regrettably, we are writing to inform you of a cyber event that may have impacted our patient data. Specifically, we became aware of unauthorized access to a certain portion of our network that stores patient information,”  the Dec. 24 statement said. “Upon becoming aware of the activity, INTEGRIS Health promptly took steps to secure the environment and commenced an investigation into the nature and scope of the activity. There was no interruption to any services as a result of this event, and INTEGRIS Health remains fully operational.”

After allegedly failing to receive extorted payments from INTEGRIS Health itself, the hacker attempted to extort patients, Federman said, by giving them until Jan. 5 to pay $50 for their stolen personal health information. If they failed to make the payment, “[the hacker] threatened it would sell the entire database to (dark web) data brokers on Jan. 5, 2024,” the litigation complaint states.

It is unclear whether patient data was sold Jan. 5.

In their email to patients, the hacker said they contacted INTEGRIS after the breach, “but INTEGRIS refused to resolve the issue,” according to the complaint.

INTEGRIS Health’s updated statement said an investigation was launched after “becoming aware of the suspicious activity.”

“The investigation determined that certain files may have been accessed by an unauthorized party on Nov. 28, 2023. INTEGRIS Health initiated a review of the potentially accessed data to determine the type of information and to whom it related, which is currently underway,” the statement said. “As that review was ongoing, on Dec. 24, 2023, INTEGRIS Health learned that patients began receiving communications from a group claiming responsibility for the unauthorized access.”

The company ecnouraged “anyone receiving such communications to NOT respond or contact the sender, or follow any of the instructions, including accessing any links.”

Federman claims INTEGRIS Health put its patients at risk by failing to take action against the cyberattack in a timely manner.

“It’s very troubling that INTEGRIS is not ahead of the game here and seems to be behind the eight ball. INTEGRIS should have done something to lock down its system to prevent the problem from happening. Once the problem happened, they should have advised the [affected patients] immediately so they could have taken action,” Federman said. “It’s essentially been silence from INTEGRIS. You just can’t be the ostrich with your head in the ground. You have to be proactive. You’re failing your customers, your patients.”

Federman said he expects INTEGRIS Health to “stiff arm” the class members of his lawsuit as they continue to seek more information about the attack and its impact.

“It doesn’t behoove anyone — the class members, INTEGRIS, nobody — for INTEGRIS to simply keep a secret here,” Federman said. “That’s what they’re doing: Playing corporate amnesia.”

The civil complaint filed Dec. 28 lists five causes of action: Negligence, negligence per se, breach of implied contract, unjust enrichment, and declaratory and injunctive relief.

Legislation filed related to notice of data breaches

Prior to the Oklahoma Legislature gaveling in for its 2024 regular session Feb. 5, Sen. Brent Howard (R-Altus) filed legislation in December that would modify notice requirements for data breaches of certain security systems. The bill would add new definitions for “reasonable safeguards” and “restricted information.”

Senate Bill 1337, if passed, would require entities or individuals to “provide notice to the attorney general of such breach without unreasonable delay but in no event more than 60 days after discovery of the breach.” Currently, Oklahoma’s existing Security Breach Notification Act provides no time frame for when the attorney general should be notified of such a breach.

While the Security Breach Notification Act already allows the attorney general or a district attorney exclusive authority to bring action and obtain either actual damages or a civil penalty not to exceed “$150,000 per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation,” Howard’s legislation would also allow the attorney general or a district attorney to seek actual damages and civil penalty equaling $150,000 or $2,000 per individual affected per breach, whichever is greater. The bill also adds hospitals as specific entities to be in compliance with provisions of the act.

Asked if SB 1337 was filed in response to the recent data breaches at hospitals, Howard said the bill is part of an initiative that began in the Attorney General’s Office back in “August or September.”

“This one is something that the Attorney General’s Office has been working on, and I’ve kind of helped just shepherd it through,” Howard said. “But yeah, it’s to put that within the AG’s office and overview within there.”

Phil Bacharach, communications director for Attorney General Gentner Drummond, called the bill a “common-sense” proposal.

“Businesses and consumers all too often find themselves victimized by hackers and other unscrupulous actors, and without recourse for prosecution,” Bacharach said. “SB 1337 would help ensure bad actors are held accountable for data breaches. It’s a common-sense, pro-business and pro-consumer measure.”

Read the Zinck et al v. INTEGRIS Health Inc. complaint

Loader Loading...
EAD Logo Taking too long?
Reload Reload document
| Open Open in new tab