Data breaches are becoming an alarming trend, and health care incidents stand out for their potentially lifelong consequences. Recently, I reported how a data breach at a physician-led vein center exposed almost half a million people’s data to hackers. Now, another health care data breach has come to light, affecting even more people. The data breach exposes sensitive personal and medical information belonging to over 910,000 patients through ConnectOnCall, a telehealth platform and after-hours call service owned by Phreesia.
1. Regularly review your financial and medical accounts
Health care software provider Phreesia has revealed that its ConnectOnCall service was hit by a data breach that lasted from February 16 to May 12, 2024. During this time, an unknown hacker gained access to the platform and pulled data from provider-patient communications. ConnectOnCall helps health care providers handle after-hours communication and automate patient call tracking. Phreesia, which bought ConnectOnCall in October 2023, discovered the breach on May 12 and says it jumped into action right away. The company brought in external cybersecurity pros to lock down the platform and reported the breach to federal law enforcement.
By monitoring your financial and medical accounts regularly, you can quickly identify and address any discrepancies or fraudulent activities resulting from such data breaches. Periodically review your medical records and health insurance statements for any unusual or unauthorized activity. Using patient portals provided by health care providers to access your medical records online can also be very helpful. These portals often have features that allow you to track your medical history and appointments, making it easier to spot any irregularities. Taking these proactive measures can significantly mitigate the risks associated with data breaches.
2. Use strong passwords and two-factor authentication (2FA)
Phreesia claims its other services, like the patient intake platform, were not affected. The company has since taken ConnectOnCall offline and is working on bringing it back in a more secure setup. According to a report filed with the U.S. Department of Health and Human Services, the breach impacted 914,138 patients. The stolen data includes names, phone numbers, medical record numbers, dates of birth, and details about health conditions, treatments, or prescriptions. In a few cases, Social Security numbers were also compromised. We reached out to ConnectOnCall for a comment but did not hear back by our deadline.
In light of such breaches, creating robust and unique passwords for your online accounts is crucial, especially for health care portals. Avoid using easily guessable information like birthdays or common words. A password manager can help generate and store complex passwords, making it easier to maintain security. Additionally, enabling two-factor authentication (2FA) wherever possible adds an extra layer of security. This method requires a second form of verification, such as a text message code or authentication app, in addition to your password, making it significantly harder for hackers to gain access to your accounts.
3. Don’t fall for phishing scams; use strong antivirus software
The risks associated with the ConnectOnCall data breach are significant due to the sensitive nature of health care data. Unlike financial breaches, where compromised accounts can be frozen or replaced, health information is permanent and highly sought after on the dark web. Cybercriminals may exploit this data to commit identity theft, including obtaining prescription drugs fraudulently or filing false insurance claims. Plus, the detailed health information exposed – such as diagnoses, treatments, and medications – can be used for targeted phishing attacks. Scammers could exploit victims’ medical histories to create highly convincing schemes, increasing the likelihood of success.
To protect yourself from such threats, be cautious about the information you share online and with whom you share it. Avoid providing sensitive personal information, such as Social Security numbers or medical details, unless absolutely necessary. Verify the legitimacy of any requests for personal information, especially since scammers often pose as health care providers or insurance companies to trick you into revealing sensitive data. Installing robust antivirus software on all your devices is another essential measure. Good antivirus software can alert you to phishing emails and ransomware scams, safeguarding your personal information and digital assets.
4. Use identity theft protection services
Phreesia has mailed notification letters to all affected individuals for whom health care providers had valid mailing addresses as of December 11, 2024. For those whose Social Security numbers were exposed, the company is offering identity and credit monitoring services. Given the severity of this breach, utilizing identity theft protection services can be a wise decision. These services monitor your personal information and alert you to potential threats, helping you detect and respond to identity theft more quickly.
Some identity theft protection services also offer insurance and assistance with recovering from identity theft, providing additional peace of mind. This can be particularly valuable if you find yourself dealing with the aftermath of a data breach. These services not only notify you of suspicious activities but also provide expert guidance on how to handle and resolve identity theft incidents. By taking advantage of identity theft protection, you can better safeguard your personal and financial information against future threats.
5. Freeze your credit
Another effective strategy to protect yourself from the consequences of data breaches is to freeze your credit. A credit freeze prevents anyone from opening new credit accounts in your name without your authorization, significantly reducing the risk of identity theft. You can contact the major credit bureaus – Experian, Equifax, and TransUnion – to request a credit freeze. This process is often free and can be temporarily lifted when you need to apply for credit.
By freezing your credit, you add an extra layer of protection against unauthorized access to your financial information. This measure can be especially important if your Social Security number or other personal details were exposed in a data breach. Regularly reviewing your credit reports and staying vigilant can help you quickly detect and address any fraudulent activities. Taking these precautions ensures that you maintain control over your financial accounts and minimize the risks posed by data breaches.
6. Remove your personal data from the internet
After being part of a data breach, it’s crucial to minimize your online presence to reduce the risk of future scams. Consider using a personal data removal service that can help you delete your information from various websites and data brokers. This can greatly diminish the chances of your data being used maliciously. By removing your personal data from the internet, you make it harder for cybercriminals to access and exploit your information.
Personal data removal services can target a wide range of online sources, including social media platforms, data broker sites, and other websites that may have collected your information. By proactively managing your digital footprint, you can better protect yourself from potential threats. These services offer a convenient way to ensure that your personal data remains secure and out of the hands of malicious actors. Taking these steps can help you maintain your privacy and reduce the likelihood of falling victim to future scams.
Kurt’s key takeaway
Data breaches are becoming increasingly common, and incidents within the health care sector are particularly concerning due to their potentially long-lasting effects. Recently, I reported on a data breach at a physician-led vein center where nearly half a million individuals’ data was compromised. That incident was alarming, but now, an even more extensive health care data breach has emerged.
This new breach has exposed sensitive personal and medical information belonging to over 910,000 patients. The breach occurred through ConnectOnCall, a telehealth platform and after-hours call service owned by Phreesia. This platform is widely used by patients seeking medical consultations and support, which makes the leak even more significant.
The information available to hackers potentially includes detailed medical records, personal identification information, and possibly financial data. Such breaches can lead to identity theft, fraud, and other serious issues that may affect the victims for years to come. It highlights the critical need for robust cybersecurity measures within the health care industry to protect patient data and maintain trust.
As cyberattacks become more sophisticated, health care organizations must prioritize data security to prevent such breaches. This includes regular audits, updating security protocols, and educating staff on best practices to safeguard sensitive information. The repeated occurrence of these incidents serves as a dire warning and a call to action for the entire health care sector to take immediate and effective measures.
