More than 910,000 patients at risk after ConnectOnCall health data breach

Data breaches in the health care industry are becoming increasingly common, with potentially lifelong consequences for those affected. Following the recent incident at a physician-led vein center, another breach has come to light, impacting over 910,000 patients through ConnectOnCall, a telehealth platform owned by Phreesia.

Phreesia, a health care software provider, revealed that the breach occurred between Feb. 16 and May 12, 2024. During this time, a hacker gained unauthorized access to the platform, compromising sensitive personal and medical information from provider-patient communications. ConnectOnCall is a service that assists health care providers in managing after-hours communication and automating patient call tracking.

Upon discovering the breach on May 12, Phreesia took immediate action by bringing in external cybersecurity experts to secure the platform and reporting the incident to federal law enforcement. The stolen data includes names, phone numbers, medical record numbers, dates of birth, and details about health conditions, treatments, and prescriptions. In some cases, Social Security numbers were also compromised.

Phreesia has confirmed that its other services, such as the patient intake platform, were not affected by the breach. The company has since taken ConnectOnCall offline and is working on reinstating it in a more secure configuration.

The impact of this breach is significant due to the nature of the exposed information. Health care data is highly sought after on the dark web and can be used for identity theft, prescription fraud, and filing false insurance claims. The detailed health information obtained in this breach could also be used for targeted phishing attacks, where scammers exploit victims’ medical histories to create convincing schemes.

Phreesia has sent notification letters to all affected individuals with valid mailing addresses, offering identity and credit monitoring services for those whose Social Security numbers were compromised. To safeguard against similar incidents, individuals are advised to monitor their financial and medical accounts regularly, use strong passwords and enable two-factor authentication, and be cautious of phishing scams. Additionally, enrolling in identity theft protection services and freezing credit can further protect against potential threats.

The ConnectOnCall data breach underscores the need for enhanced cybersecurity measures in the health care sector, where the stakes are considerably higher. With sensitive data like medical records and Social Security numbers at risk, it is essential for health care providers to prioritize the protection of patient information. By staying vigilant and implementing robust security practices, individuals can mitigate the risks associated with data breaches and safeguard their personal information.