HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

128,400 Employees and Patients Impacted by Phishing Attack on Albany Cancer Treatment Center

New York Oncology Hematology in Albany, NY, has announced that hackers have gained access to 15 employee email accounts which contained the sensitive information of as many as 128,400 current and former patients and employees.

As is common in phishing attacks, the emails contained a hyperlink to a seemingly legitimate email login page which requested usernames and passwords. When the information was entered it was harvested by the attackers.

According to the substitute breach notice on the New York Oncology Hematology website, each compromised email account only remained accessible for a short period of time before access was terminated. The email breaches were identified by New York Oncology Hematology’s IT vendor, which shut down access to the compromised accounts by resetting the passwords.

Access to 14 email accounts was gained on April 20, and a second attack took place between April 21 and April 27, which resulted in a further email account being compromised.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

New York Oncology Hematology hired a third-party computer forensics firm to investigate the breach and, on October 1, 2018, the firm confirmed that the compromised email accounts contained the protected health information of patients and sensitive employee information. The breach was restricted to patients and employees who joined New York Oncology Hematology prior to April 27, 2018.

The types of information in the compromised accounts differed from individual to individual and may have included names, home addresses, email addresses, dates of birth, insurance information, medical information, diagnostic codes, test results, account numbers, and dates of service. A limited number of patient and employee Social Security and driver’s license numbers were also exposed.

New York Oncology Hematology has not uncovered any evidence to suggest that sensitive information was accessed or stolen by the attackers and no reports have been received to suggest data misuse.

Out of an abundance of caution, New York Oncology Hematology is offering all affected individuals 12 months of complimentary credit and identity theft monitoring services through Experian. New York Oncology Hematology has since taken steps to improve email security.

All individuals potentially impacted by the incident were notified of the breach on November 16, 2018. Given that unauthorized access was rapidly detected and blocked, it is unclear why it took almost 7 months for notification letters to be issued.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.