Getting in to see your doctor in person can be difficult, especially when you’re busy. This is why many Americans have turned to telehealth instead. However, one such service has reported that it fell victim to a data breach in which the personal and medical info of more than 900,000 patients was exposed online.
As reported by BleepingComputer, the service in question is ConnectOnCall, and it’s a subsidiary of the healthcare software as a service company Phreesia. In addition to telehealth, ConnectOnCall provides after-hours on-call answering services for doctor’s offices, hospitals and other healthcare businesses.
Now, though, ConnectOnCall has revealed that between February and May of this year, a third party had access to its service, app data, and some provider-patient communications.
Here’s everything you need to know about this latest medical data breach — the third one I’ve covered this month — along with some tips and tricks on what steps you can take to stay safe from hackers following a security incident like this one.
What data was exposed
In a press release detailing what occurred, ConnectOne explains that after discovering a breach had taken place, it immediately began an internal investigation and sought the help of external cybersecurity specialists to “determine the full nature and scope of the incident.”
As for how many Americans are caught up in this data breach, the company told the U.S. Department of Health and Human Services that approximately 914,138 patients were affected. The personal information exposed during the almost three-month period in which its systems were accessed includes medical record numbers, dates of birth and info related to health conditions, treatments or prescriptions.
Unfortunately though, in a small number of cases, affected individuals also had their Social Security numbers accessed by this unauthorized third party. At this time, we still don’t know if a single individual or a group of hackers was behind the breach itself.
As for ConnectOnCall’s parent company Phreesia, it assured customers that its services, as well as its patient intake platform, were not affected by this attack.
How to stay safe after a data breach
Although I haven’t been able to track down the data breach notification letter from ConnectOnCall yet, it’s already going out to impacted individuals. This means if you use its telehealth services or even if your doctor uses its after-hours on-call answering service, you could soon be getting a letter in the mail.
Just like with the IRS, data breach notifications are sent out via the mail as opposed to email, so if you think you might be affected, you’re going to want to keep a close eye on your mailbox over the coming days/weeks.
Generally, after a significant breach, businesses provide all impacted customers with free access to the best identity theft services. In this case, though, ConnectOnCall is just providing identity and credit monitoring services through Kroll for the limited number of people whose Social Security numbers were exposed in this security incident.
If that includes you and you do get this letter, I’d recommend signing up for this service immediately. While we haven’t reviewed Kroll yet, it currently has an A- rating with the Better Business Bureau and has been in business for 29 years. Recovering from identity theft on your own can take years as well as be very costly, so this is an offer you’re not going to want to miss.
For those who don’t get this offer, it still might be worth signing up for identity theft protection as all of your other personal and medical info could be used by hackers in their attacks. For instance, you’re going to want to be extra careful when checking your inbox, as hackers often use info like this in targeted phishing attacks. Likewise, you will want to check your bank and other financial statements for irregularities, as they could be signs of fraud.
Medical data breaches seem to be all the rage with hackers now, and for good reason. These companies store all sorts of sensitive data and have the money necessary to pay a ransom to stop hackers from leaking their stolen info.
There’s not much you can do in a data breach like this one since it wasn’t your computer that got hacked. Still, though, by practicing good cyber hygiene and signing up for any services offered to you, you can avoid having your identity stolen after a data breach.