A recent data breach at ConnectOnCall, a telehealth platform acquired by Phreesia in October 2023, has compromised the personal and health information of over 910,000 patients. The breach occurred between February 16 and May 12, 2024, when an unknown third party gained unauthorized access to the platform. Phreesia, the parent company of ConnectOnCall, revealed that it took immediate steps to secure the platform and began investigating the incident upon discovering the breach.
The exposed data includes a range of sensitive information shared between patients and healthcare providers, such as names, phone numbers, medical record numbers, dates of birth, health conditions, treatments, and prescriptions. In a small number of cases, affected individuals’ Social Security numbers were also compromised. The company has assured the public that there is no evidence suggesting other Phreesia services, such as its patient intake platform, were affected by the breach.
Phreesia has been working closely with federal law enforcement and external cybersecurity experts to investigate the nature of the breach and its impact. The company took the ConnectOnCall service offline temporarily and has since been working to restore it in a more secure environment. The breach has been disclosed to the U.S. Department of Health and Human Services, and Phreesia is actively notifying impacted individuals.
Although Phreesia has stated there is no evidence that the exposed personal information has been misused, the company has advised affected individuals to report any suspected identity theft or fraud to their financial institutions, insurers, or health plans. This breach highlights the growing risks associated with telehealth platforms and underscores the importance of robust cybersecurity measures to protect sensitive health data.
Reference:
