128,400 Employees and Patients Impacted by Phishing Attack on Albany Cancer Treatment Center

Share this article on:

New York Oncology Hematology in Albany, NY, has announced that hackers have gained access to 15 employee email accounts which contained the sensitive information of as many as 128,400 current and former patients and employees.

As is common in phishing attacks, the emails contained a hyperlink to a seemingly legitimate email login page which requested usernames and passwords. When the information was entered it was harvested by the attackers.

According to the substitute breach notice on the New York Oncology Hematology website, each compromised email account only remained accessible for a short period of time before access was terminated. The email breaches were identified by New York Oncology Hematology’s IT vendor, which shut down access to the compromised accounts by resetting the passwords.

Access to 14 email accounts was gained on April 20, and a second attack took place between April 21 and April 27, which resulted in a further email account being compromised.

New York Oncology Hematology hired a third-party computer forensics firm to investigate the breach and, on October 1, 2018, the firm confirmed that the compromised email accounts contained the protected health information of patients and sensitive employee information. The breach was restricted to patients and employees who joined New York Oncology Hematology prior to April 27, 2018.

The types of information in the compromised accounts differed from individual to individual and may have included names, home addresses, email addresses, dates of birth, insurance information, medical information, diagnostic codes, test results, account numbers, and dates of service. A limited number of patient and employee Social Security and driver’s license numbers were also exposed.

New York Oncology Hematology has not uncovered any evidence to suggest that sensitive information was accessed or stolen by the attackers and no reports have been received to suggest data misuse.

Out of an abundance of caution, New York Oncology Hematology is offering all affected individuals 12 months of complimentary credit and identity theft monitoring services through Experian. New York Oncology Hematology has since taken steps to improve email security.

All individuals potentially impacted by the incident were notified of the breach on November 16, 2018. Given that unauthorized access was rapidly detected and blocked, it is unclear why it took almost 7 months for notification letters to be issued.

Author: HIPAA Journal

Share This Post On