Cancer Treatment Centers of America Experiences Another Phishing Attack

Cancer Treatment Centers of America (CTCA) is notifying certain patients that some of their protected health information (PHI) has been exposed as a result of a phishing-related email security breach that occurred in July 2019 at its Southeastern Regional Medical Center.

The attack was identified on July 29, 2019 when suspicious activity was detected in the email account of a CTCA staff member. The breach investigation revealed the attacker had gained access to the account for a period of around 7 days from July 22.

Upon detection of the breach, the user’s email account was secured to prevent further unauthorized access. The investigation did not uncover any evidence to suggest patient information in emails and email attachments were accessed or copied by the attacker, but the possibility could not be ruled out.

The types of information potentially accessed included names along with addresses, phone numbers, dates of birth, health insurance information, medical information, and medical record numbers, and other patient identifiers.

No Social Security numbers were exposed in the breach, so credit monitoring and identity theft protection services are not being provided. Affected patients have been advised to monitor their explanation of benefits statements and report any suspected fraudulent activity to their insurers.

The breach report submitted to the HHS’ Office for Civil Rights indicates up to 3,290 patients have been affected by the latest breach.

In total, five breaches have been reported to OCR by CTCA since late November 2018. The first, reported to OCR on November 6, 2018, affected 41,948 patients of Western Regional Medical Center in Arizona. 3,904 patients of Eastern Regional Medical Center in Pennsylvania and 3,904 patients of Southeastern Regional Medical Center were affected by phishing attacks reported to OCR on July 12. A further 16,819 patients of Southeastern Regional Medical Center were affected by a phishing attack reported to OCR on May 10, 2019.

Humana Notifies Lafayette Customers of Employee-Related Data Breach

A former Humana employee who was terminated in December 2018 for emailing a customer list to a personal email account is believed to have disclosed that information to another individual.

The list contained the details of approximately 500 customers in the Lafayette, LA area. This list contained member names, addresses, email addresses, telephone numbers, dates of birth, Humana ID numbers, and plan numbers.

The breach was investigated internally and as part of that investigation, the former employee’s wife confirmed that she and her husband used the list to contact Humana customers between April and May 2019 in an attempt to try to solicit business for their own insurance brokerage firm. Humana has been assured that the list was not disclosed to anyone else.

Affected individuals have now been notified and have been told to contact Humana if they believe there has been any fraudulent use of their information.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.