Integris Health, an Oklahoma based health care, reportedly received messages from threat actors on telling them that their data had been breached, along with a demand for payment to delete their stolen data.
As per the notice from Integris, the stolen data was accessed via “potential unauthorized activity on certain systems” on Nov. 28. An investigation subsequently found that “certain files” may have been accessed. According to the nonprofit, the information stolen varies by individual but may include name, date of birth, contact information, demographic information, and Social Security number.
Integris also informed potentially affected customers and provided information on how affected customers can protect their personal information, including monitoring free credit reports for suspicious activity.
But then the story takes a twist: The hackers reached out to the victims in an unwanted Christmas surprise. The hackers sent extortion emails to patients claiming they had stolen the personal data of more than 2 million patients.
The emails apparently contained personal information confirming that the data was stolen in the attack. In a case of having seemingly failed to extort money from Integris, the hackers then tried their luck with the victims.
We have contacted Integris Health, but they refuse to resolve this issue, the extortion email sent to Integris patients reads. We give you the opportunity to remove your personal data from our databases before we sell the entire database to data brokers on Jan 5, 2024.
The emails include a link to an extortion site that lists the stolen data and offers victims the ability to view their stolen data for $3 and the ability to pay $50 to delete it. In an update to its breach notice, Integris Health is encouraging anyone receiving the emails not to respond to or contact the sender or follow any instructions, including accessing any links.
Contacting potentially millions of victims and asking them to cough up $50 each is highly uncommon. That’s because usually hacking groups can’t be bothered to go after individual victims for small amounts when the target is the company or, in this case, the nonprofit health group they’ve attacked
This might be the trend to look forward in 2024, but it will certainly raise awareness around cybersecurity if individual victims are regularly contacted by hackers demanding money every time a company or organization is breached.
