Data breaches are becoming an alarming trend, and healthcare incidents stand out for their potentially lifelong consequences. I just reported how a data breach at a physician-led vein center exposed almost half a million people’s data to hackers. And now, another healthcare data breach has come to light and this one affects even more people. The data breach exposes sensitive personal and medical information belonging to over 910,000 patients through ConnectOnCall, a telehealth platform and after-hours call service owned by Phreesia.
GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE
What you need to know
Healthcare software provider Phreesia has revealed that its ConnectOnCall service was hit by a data breach that lasted from February 16 to May 12, 2024. During this time, an unknown hacker gained access to the platform and pulled data from provider-patient communications. ConnectOnCall helps healthcare providers handle after-hours communication and automate patient call tracking.
Phreesia, which bought ConnectOnCall in October 2023, discovered the breach on May 12 and says it jumped into action right away. The company brought in external cybersecurity pros to lock down the platform and reported the breach to federal law enforcement.
“On May 12, 2024, ConnectOnCall learned of an issue impacting ConnectOnCall and immediately began an investigation and took steps to secure the product and ensure the overall security of its environment,” the company revealed in a press release.
According to a report filed with the U.S. Department of Health and Human Services, the breach impacted 914,138 patients (via Bleeping Computer). The stolen data includes names, phone numbers, medical record numbers, dates of birth, and details about health conditions, treatments, or prescriptions. In a few cases, Social Security Numbers were also compromised.
Phreesia claims its other services, like the patient intake platform, were not affected. The company has since taken ConnectOnCall offline and is working on bringing it back in a more secure setup.
We reached out to ConnectOnCall for a comment but did not hear back by our deadline.
UNDERSTANDING BRUSHING SCAMS AND HOW TO PROTECT YOURSELF
The risks associated with the ConnectOnCall data breach
The impact of this breach is significant due to the sensitive nature of healthcare data. Unlike financial breaches, where compromised accounts can be frozen or replaced, health information is permanent and highly sought after on the dark web. Cybercriminals may exploit this data to commit identity theft, including obtaining prescription drugs fraudulently or filing false insurance claims.
Plus, the detailed health information exposed—such as diagnoses, treatments, and medications—can be used for targeted phishing attacks. Scammers could exploit victims’ medical histories to create highly convincing schemes, increasing the likelihood of success.
Phreesia has mailed notification letters to all affected individuals for whom healthcare providers had valid mailing addresses as of December 11, 2024. For those whose Social Security Numbers were exposed, the company is offering identity and credit monitoring services.
GIFT WRAPPING TRICKS AND TIPS GOING VIRAL
7 ways to keep yourself safe from such data breaches
1) Regularly monitor your financial and medical accounts: Periodically review your medical records and health insurance statements for any unusual or unauthorized activity. This can help you quickly identify and address any discrepancies or fraudulent activities.
Use patient portals provided by healthcare providers to access your medical records online. These portals often have features that allow you to track your medical history and appointments.
2) Use strong passwords and two-factor authentication: Create strong, unique passwords for your online accounts, including healthcare portals. Avoid using easily guessable information like birthdays or common words. Consider using a password manager to generate and store complex passwords.
3) Enable two-factor authentication wherever possible: 2FA adds an extra layer of security by requiring a second form of verification, such as a text message code or authentication app, in addition to your password.
4) Don’t fall for phishing scams; use strong antivirus software: Be mindful of the information you share online and with whom you share it. Avoid providing sensitive personal information, such as Social Security numbers or medical details, unless absolutely necessary. Verify the legitimacy of any requests for personal information. Scammers often pose as healthcare providers or insurance companies to trick you into revealing sensitive data by asking you to click on links in emails or messages.
The best way to safeguard yourself from malicious links is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers:
5) Use identity theft protection services: Consider enrolling in identity theft protection services that monitor your personal information and alert you to potential threats. These services can help you detect and respond to identity theft more quickly. Some identity theft protection services also offer insurance and assistance with recovering from identity theft, providing additional peace of mind.
One of the best parts of my #1 pick is that they have identity theft insurance off up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.
Exclusive CyberGuy deal: 66% off Ultra Annual Plans: Get the Identity Guard Ultra protection to protect your identity and credit for as little as $9.99/mo (lowest offered anywhere) for the first year.
See my tips and best picks on how to protect yourself from identity theft.
6) Freeze your credit: A credit freeze prevents anyone from opening new credit accounts in your name without your authorization, reducing the risk of identity theft. Contact the major credit bureaus (Experian, Equifax, and TransUnion) to request a credit freeze. This is often free and can be temporarily lifted when you need to apply for credit.
7) Remove your personal data from the internet: After being part of a data breach, it’s crucial to minimize your online presence to reduce the risk of future scams. Consider using a personal data removal service that can help you delete your information from various websites and data brokers. This can greatly diminish the chances of your data being used maliciously.
Special for CyberGuy Readers (60% off): Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $6.49/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 190+ data brokers. I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.
Get Incogni for your family (up to 4 people) here
10 TIPS FOR WRAPPING YOUR HOLIDAY GIFTS
Kurt’s key takeaway
The ConnectOnCall health data breach highlights the critical need for robust cybersecurity measures within the healthcare sector, where the stakes are often much higher than in other industries. With over 910,000 patients affected, this incident shows the serious risks posed by cyberattacks on healthcare platforms. Sensitive data like medical records and Social Security numbers are permanent and can be misused for identity theft and fraud. If you were impacted, stay vigilant by monitoring your accounts, enabling fraud alerts, and considering identity theft protection services.
Do you think healthcare providers should face stricter regulations for protecting sensitive patient information? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2024 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
2 comments