Share this article on:
Cancer Treatment Centers of America (CTCA) has discovered the email account of an employee of its Southeastern Regional Medical Center has been compromised as a result of a response to a phishing email.
The email account breach occurred on March 10, 2019 after the employee disclosed network login credentials when responding to a seemingly legitimate internal email. CTCA discovered the breach the following day and secured the account by changing the password.
The account was accessible for less than two days, but during that time it is possible that information in emails and email attachments may have been viewed. The third-party computer forensics firm that was retained to conduct an investigation and found no evidence to suggest any patient health information was viewed, but it was not possible to rule out PHI access or data theft.
The compromised email account contained names, addresses, medical record numbers, government ID numbers, health insurance information, and some medical information. No Social Security numbers or financial information were exposed.
Individuals affected by the breach are being notified and have been told to be alert to the possibility of misuse of their personal information and to carefully monitor their explanation of benefits statements and other account statements for unfamiliar charges or items.
This is the second successful phishing attack on CTCA to be reported in the past 6 months. In December 2018, an employee’s email account was compromised which contained the protected health information of 41,948 patients.
The breach occurred on May 2, 2018, CTCA was informed about the breach on September 26, 2018, and the breach was announced in early December. In that incident, the account was accessible for less than a day.
In response to the latest incident, further email security enhancements are being evaluated and CTCA is continuing to reinforce security awareness training and is ensuring employees know how to recognize phishing emails.
The HHS’ Office for Civil Rights breach portal indicates the PHI of 16,819 individuals was exposed as a result of the phishing attack