Full Report
Lauren Giella reports: Oklahoma health system Integris Health reached a $30 million settlement in a data breach class action lawsuit that impacted over two million people over two years ago. This agreement settles a class action lawsuit filed in the U.S. District Court for the Western District of Oklahoma that accuses Integris of negligence after... Source
Analysis Summary
# Incident Report: Integris Health 2023 Data Breach Settlement
## Executive Summary
Integris Health agreed to a \$30 million settlement following a data breach that occurred in November 2023, impacting over two million individuals. The incident exposed sensitive patient data, leading to accusations of negligence and subsequent class-action litigation. Although specific attack vectors are not detailed, the outcome resulted in extensive data loss and post-breach extortion attempts against victims.
## Incident Details
- Discovery Date: Unknown (Breach occurred Nov 2023; victims notified/contacted late Dec 2023)
- Incident Date: November 2023
- Affected Organization: Integris Health
- Sector: Healthcare
- Geography: Oklahoma (Implied, based on court jurisdiction)
## Timeline of Events
### Initial Access
- Date/Time: Prior to or during November 2023
- Vector: Not explicitly disclosed in the summary (Implied exploitation of security vulnerabilities leading to compromise).
- Details: Attackers gained access to systems containing patient data.
### Lateral Movement
- Details: Not specified, but necessary for the extensive data collection.
### Data Exfiltration/Impact
- Details: SSNs, dates of birth, addresses, phone numbers, insurance information, and employer information were stolen.
- Post-Breach Activity: A cybercriminal, identifying as "DataLeakege," contacted victims in late December 2023, threatening to sell the data on the darknet unless a \$50 payment was made by January 5, 2024.
### Detection & Response
- Detection: The exact technical detection method is unknown, but the scope was evident when victims were contacted by the threat actor in late December 2023.
- Response Actions: A class-action lawsuit was filed in the U.S. District Court for the Western District of Oklahoma, ultimately resulting in a \$30 million settlement agreement.
## Attack Methodology
- Initial Access: Not specified.
- Persistence: Not specified, but required to collect and prepare data for exfiltration.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Not specified.
- Collection: SSNs, DOBs, addresses, phone numbers, insurance information, and employer information were collected.
- Exfiltration: Data was successfully exfiltrated, leading to extortion attempts against victims.
- Impact: Data theft and subsequent financial extortion attempts against affected individuals.
## Impact Assessment
- Financial: \$30 Million settlement amount agreed upon for the class action lawsuit.
- Data Breach: Compromise of data belonging to over two million individuals, including highly sensitive PII and PHI identifiers (SSNs, insurance info).
- Operational: Not specified, though systemic failure to protect data implies operational control shortcomings.
- Reputational: Significant negative impact due to the large settlement and the public nature of the breach and subsequent extortion.
## Indicators of Compromise
- Network indicators: Defanged email contact: `dataleakege@igpc[.]mcambraia[.]dns-secure[.]net`
- File indicators: None provided.
- Behavioral indicators: External extortion communication targeting victims shortly after the breach period.
## Response Actions
- Containment: Not specified (Implied containment occurred sometime between November 2023 and the filing of the lawsuit).
- Eradication: Not specified.
- Recovery actions: The primary public action noted is the legal resolution via the \$30 million settlement.
## Lessons Learned
- Security controls failed to adequately protect highly sensitive patient data over a two-year period (implied compromise lasting up to two years prior to the discovery/settlement context).
- Post-breach communication from threat actors regarding compromised data indicates successful persistence and data handling by the adversary.
- Failure to adequately address known risks led to significant civil liability exposure ($30 million).
## Recommendations
- Immediately review and enhance data access controls and segmentation, especially for systems containing SSNs and health insurance data.
- Implement proactive threat hunting capabilities to detect lateral movement and data staging indicative of a breach earlier than patient notification.
- Improve data encryption practices both in transit and at rest for all sensitive patient information.