DATABREACHES [.]Net reports that telehealth provider Call-On-Doc, Inc., trading as Call-On-Doc[.]com, allegedly suffered a breach that may have affected more than one million patients, with the firm yet to comment. According to a sales listing on a hacking forum, the breach occurred in early December and 1,144,223 patient records were exfiltrated, including details such as patient name, address, phone number, email, medical category and condition.
The listing also included three screenshots and a 1,000-patient text file; the threat actor claimed there was no evidence of encryption and that the attack went undetected during its progression. DataBreaches notes uncertainties about HIPAA applicability given Call-On-Doc’s self-pay model, while suggesting potential state and FTC regulation if HIPAA does not apply.
The article highlights that regulators may scrutinise notification obligations, given deadlines in HIPAA and state laws, and that DataBreaches has asked Call-On-Doc for comment but received no reply. It concludes with caution that while the data appears likely real, the site cannot confirm the authenticity of the claims without direct confirmation from Call-On-Doc.