Members of Oklahoma-based healthcare provider Integris Health reportedly received messages from hackers on Christmas Eve telling them that their data had been breached, along with a demand for payment to delete their stolen data.

According to a “data privacy incident” notice from Integris, the stolen data was accessed via “potential unauthorized activity on certain systems” on Nov. 28. An investigation subsequently found that “certain files” may have been accessed. According to the nonprofit, the information stolen varies by individual but may include name, date of birth, contact information, demographic information and Social Security number.

Aside from using vague, noncommital language, the breach disclosure was fairly standard. Along with a commitment to further investigation, Integris also informed potentially affected customers and provided information on how affected customers can protect their personal information, including monitoring free credit reports for suspicious activity.

But then the story takes a twist: The hackers reached out to the victims in an unwanted Christmas surprise. The hackers sent extortion emails to patients claiming they had stolen the personal data of more than 2 million patients.

The emails apparently contained personal information confirming that the data was stolen in the attack. In a case of having seemingly failed to extort money from Integris, the hackers then tried their luck with the victims.

“We have contacted Integris Health, but they refuse to resolve this issue,” the extortion email sent to Integris patients reads. “We give you the opportunity to remove your personal data from our databases before we sell the entire database to data brokers on Jan 5, 2024.”

The emails include a link to an extortion site that lists the stolen data and offers victims the ability to view their stolen data for $3 and the ability to pay $50 to delete it. In an update to its breach notice, Integris Health is encouraging anyone receiving the emails not to respond to or contact the sender or follow any instructions, including accessing any links.

Althouugh it’s not confirmed which hacking gang may have been behind the breach, Bleeping Computer reported Tuesday that similar emails were sent to victims of a breach at the Fred Hutchison Cancer Center earlier in December. The Hunters International ransomware gang claimed responsibility for that attack.

Victims being contacted by hackers after having their details stolen is not new. The hack of Ashley Madison in 2015 is perhaps the most infamous example, but it’s also not that common.

Contacting potentially millions of victims — the number of affected victims at Integris Health is believed to be about 2 million but could be higher — and asking them to cough up $50 each is highly uncommon. That’s because usually hacking groups can’t be bothered to go after individual victims for small amounts when the target is the company or, in this case, the nonprofit health group they’ve attacked.

Whether it will be a cybersecurity trend in 2024 is yet to be seen, but if it is, it will certainly raise awareness around cybersecurity if individual victims are regularly contacted by hackers demanding money every time a company or organization is breached.

Image: DALL-E 3