Almost 1 Million ConnectOnCall Patients' Data Exposed But Healthcare Firm Responds Quickly

We don’t have to tell you that cyber threats are increasing by the minute. Businesses across industries are now falling prey to cyber-attacks. Recently 8 major telecom companies in the US were hacked by the Salt Typhoon cybercrime syndicate, leading to the US government issuing an advisory. Days later, it was reported that two of these telecom firms, AT&T and Verizon, only notified "high-value" users about the breach, leaving most customers unaware of the data privacy violation.

Another incident, this time in the healthcare industry, possibly[NK1]  the largest healthcare data breach of recent times, has raised eyebrows. Investigations into the breach at ConnectOnCall, a subsidiary of healthcare software company Phreesia, disclosed that over 910,000 individuals’ personal and health information was compromised earlier this year.

On May 12, 2024, ConnectOnCall detected unauthorized access to its platform, which started on February 16, 2024. This incident has raised serious concerns about the security capabilities of the healthcare industry and the protection of sensitive patient data.

So, what happened and how is the health tech leader responding?

Let’s dive into the details!
 

What Was The ConnectOnCall Data Breach?

 
The breach occurred when an unknown third-party accessed ConnectOnCall’s data between February 16 and May 12, 2024, with the afterhours call service between patients and doctors being taken offline.

The breach made patients and healthcare workers’ private information public, including names, phone numbers, dates of birth, medical record numbers and details about health conditions, treatments and prescriptions. In some cases, Social Security numbers were also accessed, posing a significant identity theft risk.

According to the parent firm Phreesia, the breach only affected the ConnectOnCall app and no other services, like its software for onboarding new patients.

So, how did the business respond to one of the largest data breaches in the healthcare industry?
 

How Did Phreesia And ConnectOnCall Respond To The Breach?

Once the data breach was discovered in May 2024, ConnectOnCall took its platform offline to prevent further unauthorized access. Then, Phreesia brought in law enforcement and cybersecurity specialists to investigate the breach and enhance the platform’s security.

A phased restoration of the platform is underway, with enhanced security measures being implemented to prevent similar breaches in the future. The company said that there’s no clear indication yet of malicious activity or sale of stolen data from the breach.

Moreover, Phreesia notified all 914,138 affected individuals, offered them complimentary credit monitoring and identity theft protection, especially to those whose Social Security numbers were exposed.

The company also advised all potentially impacted individuals to remain vigilant by monitoring their financial accounts, credit reports and insurance records for suspicious activity. ConnectOnCall recommended reporting any suspected identity theft or fraud to the relevant authorities, insurers or financial institutions promptly.

This response is in stark contrast to that of the telecom leaders, AT&T and Verizon, who faced backlash for not notifying customers about the breach. Here’s what the stakeholders had to say about the breach and their quick response.
 

What Did ConnectOnCall’s Stakeholders Say?

ConnectOnCall said in a statement that they knew the breach was serious, mentioning that “the ConnectOnCall service remains offline and we are working diligently to assess the potential impact and restore the service.”

ConnectOnCall also emphasized, “While ConnectOnCall is not aware of any misuse of personal information or harm to patients as a result of this incident, we encourage affected individuals to remain vigilant.”

This data breach closely followed the Change Healthcare ransomware breach that affected around 100 million customers, with the ALPHV ransomware organization stealing 6 terabytes of sensitive data.

The Office for Civil Rights stated, "On October 22, 2024, Change Healthcare notified OCR that approximately 100 million individual notices have been sent regarding this breach," with Change Healthcare also paying $22 million in ransom in exchange for the data.
 

Conclusion

The latest breach at ConnectOnCall shows how critical strong security measures and responsiveness are in the healthcare technology arena. This is especially true for healthcare technology platforms that handle private data shared between patients and providers, which will be incentivized to review their data security policies after this incident.

After all, the data breach at ConnectOnCall is a sobering reminder of how weak digital healthcare systems currently are and how the healthcare industry must adopt technology to improve secure data transmission and data security measures.

Do you think healthcare providers are doing enough to keep patient’s private information safe? Can the telecom industry learn from the healthcare industry in notifying consumers about data privacy violations?

Tell us what you think in the comments below!