$30M settlement reached in data breach affecting 2.4M patients
A health system in Oklahoma has settled a lawsuit over a data breach it suffered in 2023, agreeing to pay a class of plaintiffs $30 million. The incident impacted roughly 2.4 million people.
The complaint against Integris Health represented a consolidated series of lawsuits, all effectively claiming that the health system was negligent in securing sensitive patient data and that the Nov. 28, 2023, breach of its network was preventable.
“Due to defendant’s negligence, cybercriminals have stolen and obtained everything they need to commit identity theft and wreak havoc on the financial and personal lives of millions of individuals,” the class action lawsuit read.
Specifically, the plaintiffs argued in their court filing that cybersecurity at Integris was “insufficient,” opening the door for hackers to breach defenses and access patient data. Despite agreeing to the settlement, Integris did not admit wrongdoing, nor did a court find it liable for the breach.
However, the payment—which will provide victims with three years of credit monitoring, and reimburses them up to $25,000 for any expenses they incurred—fully resolves all civil claims stemming from the incident.
Stolen information included Social Security numbers, dates of birth, phone numbers, emails, addresses, and details on health insurance from patients.
Direct extortion
A cybercrime cell calling itself “DataLeakege” soon claimed credit for the attack. In December 2023, Integris patients began receiving emails from “[email protected],” informing them that they’ve been “compromised.” According to the court filing, victims were told they had until Jan. 5, 2024, to send $50, or risk having their personal data leaked onto the dark web.
In a public statement, Integris asked that no one respond to the request of the cybercriminals. It was later confirmed that the health system had been targeted with ransomware; however, it remains unclear if they ever paid a ransom. It’s also unclear if the data trove was sold on the black market.
Plaintiffs maintained that Integris did not do enough to attempt to recover the lost data and refused to resolve the issue, leaving the hackers to reach out to patients directly. The court was seeking punitive damages in addition to those deemed compensatory.
Now it seems they will have to make do with the terms of the settlement, which is scheduled to be finalized by a judge on Dec. 16. A website has been established for eligible claimants to get their benefits.
Integris did not comment publicly on the settlement. HealthExec reached out to see if it has any statement.
The nonprofit group operates 16 hospitals and dozens of clinics in Oklahoma that provide primary and specialty care services.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.