Alert essentials:
Phreesia, a healthcare SaaS company, reported a breach affecting 914,138 patients via its subsidiary ConnectOnCall, a telehealth and patient communication platform.
Individuals should monitor for identity theft and report suspicious activity.
Detailed threat description:
Phreesia has disclosed a data breach involving ConnectOnCall, its telehealth and after-hours patient communication platform acquired in October 2023. The breach, discovered on May 12, 2024, allowed unauthorized access to sensitive patient data between February 16, 2024, and May 12, 2024.
The breach exposed:
- Personal Data: Names, phone numbers, and Social Security Numbers
- Health Information: Medical record numbers, dates of birth, health conditions, treatments, and prescriptions
Phreesia emphasized that the incident was limited to ConnectOnCall and did not impact its other services, such as its patient intake platform. The company has notified law enforcement, hired external cybersecurity specialists, and taken ConnectOnCall offline to rebuild it securely
Phreesia recommends:
- Monitoring accounts for unusual activity
- Reporting suspected fraud to insurers or financial institutions
- Consider additional precautions like fraud alerts or credit freezes
Phreesia has reassured clients that it is working to restore ConnectOnCall and implement improved security measures to prevent future breaches. This incident underscores the importance of robust cybersecurity in protecting sensitive healthcare data.
Impacts on healthcare organizations:
Personal information, including social security numbers, was exposed during this breach. This stolen information can be used in many scenarios with far-reaching implications, like opening credit cards and leaving the victim responsible for the costs. Bad actors may also use gained medical information against the patient in extortion campaigns.
Advise patients who inquire to monitor their credit reports and consider using the identity and credit monitoring services offered by Phreesia if their Social Security number was taken in the breach.
Recommendations
Engineering recommendations:
- Remind users to practice good cyber hygiene
Leadership/ Program recommendations:
- Individual notification letters were mailed to the affected individuals on December 11, 2024
- This means if you use Phreesia’s telehealth services or even if your doctor uses its after-hours on-call answering service, you could soon be getting a letter in the mail
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
