What happened in the Phreesia/ConnectOnCall data breach?

Phreesia's subsidiary ConnectOnCall experienced a data breach that was discovered on May 12, 2024. The breach exposed personal and health information of 914,138 patients over a period from February 16 to May 12, 2024. Upon discovery, the company notified law enforcement, engaged cybersecurity specialists, and took ConnectOnCall's systems offline.

What types of information were exposed in the breach?

The compromised information includes names, phone numbers, medical record numbers, dates of birth, health conditions, treatment information, prescription details, and in some cases, Social Security numbers. The breach affected ConnectOnCall's telehealth platform but did not impact other Phreesia services.

How is Phreesia responding to the breach?

Phreesia is working to restore ConnectOnCall's services within a new, more secure environment. While they claim there is no evidence of misuse of the exposed information, they are advising affected individuals to report any suspected identity theft or fraud to their insurers, health plans, or financial institutions.

What are the main concerns about this breach?

The main concerns include the extended duration of unauthorized access (nearly three months), which raises questions about the company's security capabilities. Additionally, the breach exposed sensitive healthcare information of over 900,000 patients, though Phreesia emphasizes the incident was isolated to ConnectOnCall and didn't affect their other services.

Incident

Telehealth platform ConnectOnCall breached, exposing data of 910k individuals

published: Dec. 16, 2024

Learn More

Phreesia, a healthcare SaaS company, has disclosed a significant data breach affecting its subsidiary ConnectOnCall, a telehealth platform providing after-hours answering services and patient call tracking.

The breach was discovered on May 12, 2024. The company notified federal law enforcement, engaged external cybersecurity specialists, and took ConnectOnCall's systems offline. They are currently working to restore services within a new, more secure environment. Phreesia has emphasized that the breach was isolated to ConnectOnCall and did not affect their other services, including their patient intake platform.

The incident exposed the personal and health information of 914,138 patients over a nearly three-month period, from February 16 to May 12, 2024.Te compromised information includes:

Names
Phone numbers
Medical record numbers
Dates of birth
Health conditions
Treatment information
Prescription details
Social Security numbers (in a limited number of cases)

The nature of the attack is not disclosed, and the length of unauthorized acces (3 months) raises concerns about the security capabilities of the company.

Phreesia claims there is no evidence of misuse of the exposed information, but they are advising affected individuals to report any suspected identity theft or fraud to their insurers, health plans, or financial institutions.

Telehealth platform ConnectOnCall breached, exposing data of 910k individuals

Read More
CEI Vision Partners reports data breach affecting patient …
Northern Light Health patient data exposed in ransomware …
Prime Healthcare reports another thrid party breach, caused …
Delta Health System reports data breach exposing patient …
Lifeline Systems Company reports data breach from August …