Incident Overview

On May 12, 2024, ConnectOnCall, a telehealth and automated patient call-tracking service, discovered unauthorized access to its systems. An investigation revealed that the breach spanned from February 16, 2024, to May 12, 2024, during which an unidentified third party accessed provider-patient communications.

Upon discovering the incident, Phreesia promptly took ConnectOnCall offline and enlisted external cybersecurity experts to assess the breach. Federal law enforcement was also notified.

Exposed Data

The breached data includes sensitive patient-provider communications. Specifically, the information compromised may include:

• Names and phone numbers

• Medical record numbers

• Dates of birth

• Health conditions, treatments, or prescriptions

• Social Security Numbers (in limited cases)

A total of 914,138 patients were affected, as reported to the U.S. Department of Health and Human Services.

Response and Mitigation Efforts

Phreesia has taken steps to secure the ConnectOnCall service, rebuilding it in a new and more secure environment. The company has assured that the breach is isolated to ConnectOnCall and does not impact other Phreesia services, such as its patient intake platform.

Phreesia’s official statement emphasized their commitment to restoring the ConnectOnCall platform quickly and securely, noting, “We understand the importance of this service to our clients' business.”

Recommendations for Impacted Individuals

Although there is currently no evidence of misuse of the exposed data, Phreesia advises potentially impacted individuals to take precautions, including:

• Monitoring their health insurance accounts for suspicious activity

• Reporting potential identity theft or fraud to relevant institutions

• Reviewing free credit monitoring or fraud protection services

Conclusion

The breach at ConnectOnCall highlights the risks associated with sensitive healthcare data in telehealth platforms. Phreesia’s efforts to address the issue underscore the importance of robust cybersecurity measures to protect patient information.

Summary:

Healthcare SaaS provider Phreesia has disclosed a significant data breach at its subsidiary, ConnectOnCall, affecting the personal and health data of over 910,000 patients. The breach, which occurred over a three-month period, exposed sensitive patient information, including medical details and, in some cases, Social Security Numbers.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.