ConnectOnCall breach exposes health data of over 910,000 patients

Healthcare software as a service (SaaS) company Phreesia is notifying over 910,000 people that their personal and health data was exposed in a May breach of its subsidiary ConnectOnCall, acquired in October 2023.

ConnectOnCall is a telehealth platform and after-hours on-call answering service with automated patient call tracking for healthcare providers.

"On May 12, 2024, ConnectOnCall learned of an issue impacting ConnectOnCall and immediately began an investigation and took steps to secure the product and ensure the overall security of its environment," the company revealed.

"ConnectOnCall's investigation revealed that between February 16, 2024, and May 12, 2024, an unknown third party had access to ConnectOnCall and certain data within the application, including certain information in provider-patient communications."

After discovering the breach, Phreesia notified federal law enforcement of the incident and hired external cybersecurity specialists to investigate its nature and impact.

Phreesia also took ConnectOnCall offline and has since been working to restore the systems within a new and more secure environment.

While the statement doesn't include the total number of people impacted, ConnectOnCall told the U.S. Department of Health and Human Services that the breach affected the protected health information of 914,138 patients.

​The personal information exposed during the almost three-month-long breach includes information shared in communications between patients and their healthcare providers, such as names and phone numbers.

This may have also included medical record numbers, dates of birth, as well as information related to health conditions, treatments, or prescriptions, and, in a small number of cases, the affected individuals' Social Security Numbers.

"The ConnectOnCall service is separate from Phreesia's other services, including our patient intake platform. Based on our investigation to date, there is no evidence that our other services have been affected," Phreesia said in a separate statement on its official website.

"We understand the importance of this service to our clients' business, and we are working to restore the ConnectOnCall service as quickly as possible."

Phreesia also advised potentially impacted individuals to report suspected identity theft or fraud to their insurer, health plan, or financial institution, even though the company has no evidence that the exposed personal information has been misused.