25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Another Phishing Attack Reported by Cancer Treatment Centers of America

Posted By on May 21, 2019

Cancer Treatment Centers of America (CTCA) has discovered the email account of an employee of its Southeastern Regional Medical Center has been compromised as a result of a response to a phishing email.

The email account breach occurred on March 10, 2019 after the employee disclosed network login credentials when responding to a seemingly legitimate internal email. CTCA discovered the breach the following day and secured the account by changing the password.

The account was accessible for less than two days, but during that time it is possible that information in emails and email attachments may have been viewed. The third-party computer forensics firm that was retained to conduct an investigation and found no evidence to suggest any patient health information was viewed, but it was not possible to rule out PHI access or data theft.

The compromised email account contained names, addresses, medical record numbers, government ID numbers, health insurance information, and some medical information. No Social Security numbers or financial information were exposed.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Individuals affected by the breach are being notified and have been told to be alert to the possibility of misuse of their personal information and to carefully monitor their explanation of benefits statements and other account statements for unfamiliar charges or items.

This is the second successful phishing attack on CTCA to be reported in the past 6 months. In December 2018, an employee’s email account was compromised which contained the protected health information of 41,948 patients.

The breach occurred on May 2, 2018, CTCA was informed about the breach on September 26, 2018, and the breach was announced in early December. In that incident, the account was accessible for less than a day.

In response to the latest incident, further email security enhancements are being evaluated and CTCA is continuing to reinforce security awareness training and is ensuring employees know how to recognize phishing emails.

The HHS’ Office for Civil Rights breach portal indicates the PHI of 16,819 individuals was exposed as a result of the phishing attack

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist