Phreesia Subsidiary ConnectOnCall Suffers Data Breach, 910,000 Affected

Phreesia, a company specializing in SaaS solutions for the healthcare sector, has reported a significant breach of personal and medical data, affecting over 910,000 individuals. The incident stemmed from a cyberattack on its subsidiary platform, ConnectOnCall, in May 2024.

ConnectOnCall, acquired by Phreesia in October 2023, is a telemedicine service and after-hours patient call-handling platform with automated communication tracking features. According to the company, unauthorized access persisted for nearly three months, from February 16 to May 12, 2024.

The breach was detected on May 12, prompting ConnectOnCall to conduct an internal investigation and implement measures to secure its systems. It was revealed that third parties had accessed sensitive data contained in communications between patients and healthcare professionals.

The compromised information includes names, phone numbers, dates of birth, and patient medical identification numbers. Additionally, data related to medical conditions, prescribed treatments, and medications may have been exposed. In a small number of cases, Social Security numbers were also accessed.

Following the discovery of the breach, Phreesia promptly notified federal law enforcement authorities and enlisted external cybersecurity experts for a comprehensive analysis of the incident. The ConnectOnCall platform was temporarily taken offline, and efforts are underway to relaunch the service within a more secure environment.

Phreesia clarified that ConnectOnCall operates independently of its other products. The company assured stakeholders that its other services, including the patient intake platform, were not affected by the breach.

Phreesia has advised affected individuals to take precautionary measures and report any suspicious activity to insurance providers or financial institutions. While there is currently no evidence of data misuse, the company urged heightened vigilance.

According to information submitted to the U.S. Department of Health and Human Services, the breach impacted 914,138 individuals. Phreesia emphasized its commitment to swiftly restoring ConnectOnCall, acknowledging the platform’s critical importance to its clients.