Integris Health reaches $30 million settlement over 2023 data breach

The Oklahoma health system will pay $30 million to settle multiple class action lawsuits following a cyberattack that exposed the data of over 2.3 million patients.

What happened

Integris Health, one of Oklahoma’s largest healthcare systems, has agreed to a $30 million settlement to resolve class action litigation tied to its 2023 data breach. The cyberattack, first reported in December 2023, allowed hackers to access patient data and later demand payment directly from affected individuals.

Hackers infiltrated Integris Health’s network on November 28, 2023, stealing sensitive files but not encrypting them. Instead, they demanded payment to prevent public release. Weeks later, some patients reported being contacted by the attackers, who offered to delete stolen records for $50 per person.

Integris Health notified the U.S. Department of Health and Human Services in February 2024 that the protected health information of 2,385,646 individuals had been compromised. The stolen data included names, contact details, Social Security numbers, and demographic information.

Going deeper

The breach led to more than 20 lawsuits filed across Oklahoma County and the U.S. District Court for the Western District of Oklahoma. These were later consolidated into a single case, Bointy et al. v. Integris Health, Inc., which alleged that the health system failed to implement adequate cybersecurity measures. Plaintiffs claimed the breach exposed minors’ information and left patients vulnerable to identity theft and fraud.

Integris Health attributed the breach to its business associate, Tech Mahindra, but later dropped the company from the case. While denying wrongdoing, Integris Health agreed to the settlement to avoid the cost and uncertainty of prolonged litigation.

What was said

Integris Health maintains that it was a victim of a criminal attack and denies negligence but has since enhanced its cybersecurity policies and procedures. Attorneys representing the plaintiffs described the settlement as a meaningful step toward accountability for patients whose data was mishandled.

Court documents indicate that the judge granted preliminary approval for the agreement, noting that it provides “substantial and fair” benefits to affected individuals.

The big picture

According to Paubox report data, many healthcare breaches trace back to “poor technical configurations,” with 31.1% of breached organizations found to have multiple security gaps that left them exposed to major threats. The report also warned that failing to perform accurate risk analyses leaves entities vulnerable to hacking and ransomware attacks, which have surged 264% since 2018. These incidents pose a “direct and significant threat to patient safety,” as they disrupt care delivery, delay procedures, and erode patient trust, issues proven by the scale and impact of the Integris Health breach.

FAQs

Why is the Integris Health case significant for healthcare leaders?

It’s one of the first major breaches where attackers directly contacted patients for ransom, showing how criminal tactics are evolving and how data loss can quickly turn into patient-level extortion and reputational damage.

What operational failure stands out most?

The breach revealed weaknesses in vendor oversight and network segmentation. Integris initially blamed a third-party associate, highlighting the need for strict business associate agreements (BAAs), continuous vendor audits, and enforced least-privilege access controls.

What does the $30 million settlement indicate about risk exposure?

It signals that courts and plaintiffs’ attorneys are treating large-scale patient data theft as both a privacy and safety issue. Financial liability now extends beyond remediation costs to encompass emotional and reputational harm to affected individuals.

What does “preliminary approval” mean in a class action settlement?

It indicates the court has reviewed the proposed agreement and determined it is fair enough to notify affected individuals before a final approval hearing.

How does this settlement compare to others in healthcare breaches?

While smaller than settlements in some national cases, $30 million ranks among the higher payouts for a regional health system, reflecting both the scale of exposure and the direct harm caused by patient extortion attempts.