INTEGRIS Health, Oklahoma’s largest not-for-profit health system, is under legal fire after a hacker claimed to have accessed sensitive information from over 2.2 million patients in a November cyberattack. The breach remained undisclosed until Christmas Eve when affected individuals received an email demanding payment for the deletion of their personal data. The delayed response has triggered lawsuits and public outrage, with impacted patients expressing frustration over INTEGRIS’s handling of the situation.
The controversy deepens as a separate healthcare system in northeast Oklahoma experiences a cyberattack within the same week. Lawmakers are now proposing legislation mandating hospitals to promptly notify the Attorney General’s Office post data breaches. Despite INTEGRIS Health believing the attack occurred on November 28, patients were only informed on January 5, approximately 38 days after the breach and 12 days after the hacker’s email. The breach, coupled with the delayed response, has raised concerns among the affected community.
INTEGRIS Health, Edmond’s largest private employer, faces criticism for its cybersecurity measures, exacerbated by a recent switch in digital security providers. The health system transitioned from VMWare to Citrix in the fall of 2023, temporarily returning to VMWare. Complications arising from this shift reportedly led to disruptions in accessing patient data. While the company remains tight-lipped about the specifics, FBI involvement in an ongoing investigation suggests the severity of the situation. INTEGRIS Health’s offer of 24 months of free credit monitoring to affected patients aims to mitigate the fallout, but the incident underscores the challenges healthcare providers face in safeguarding sensitive information in the digital age.
