HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Another Phishing Attack Reported by Cancer Treatment Centers of America

Cancer Treatment Centers of America (CTCA) has discovered the email account of an employee of its Southeastern Regional Medical Center has been compromised as a result of a response to a phishing email.

The email account breach occurred on March 10, 2019 after the employee disclosed network login credentials when responding to a seemingly legitimate internal email. CTCA discovered the breach the following day and secured the account by changing the password.

The account was accessible for less than two days, but during that time it is possible that information in emails and email attachments may have been viewed. The third-party computer forensics firm that was retained to conduct an investigation and found no evidence to suggest any patient health information was viewed, but it was not possible to rule out PHI access or data theft.

The compromised email account contained names, addresses, medical record numbers, government ID numbers, health insurance information, and some medical information. No Social Security numbers or financial information were exposed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Individuals affected by the breach are being notified and have been told to be alert to the possibility of misuse of their personal information and to carefully monitor their explanation of benefits statements and other account statements for unfamiliar charges or items.

This is the second successful phishing attack on CTCA to be reported in the past 6 months. In December 2018, an employee’s email account was compromised which contained the protected health information of 41,948 patients.

The breach occurred on May 2, 2018, CTCA was informed about the breach on September 26, 2018, and the breach was announced in early December. In that incident, the account was accessible for less than a day.

In response to the latest incident, further email security enhancements are being evaluated and CTCA is continuing to reinforce security awareness training and is ensuring employees know how to recognize phishing emails.

The HHS’ Office for Civil Rights breach portal indicates the PHI of 16,819 individuals was exposed as a result of the phishing attack

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.