City of Hope Cyberattack Affects 827,000 Individuals
City of Hope, a non-profit clinical research and cancer treatment center in Duarte, California, has confirmed that the personal and protected health information of 827,149 individuals was compromised in a 2023 cyberattack. Suspicious activity was detected within some of its systems on October 13, 2023, and after securing the systems and implementing mitigation measures, a forensic investigation was launched to determine the nature and scope of the incident. A third-party cybersecurity firm assisted with the investigation and confirmed there had been unauthorized access to some of its systems between September 19, 2023, and October 12, 2023. During that time, copies of certain files were exfiltrated from its systems.
The delay in issuing notifications was due to the time required to conduct a detailed review of all files on the compromised systems to determine the extent of the data breach. The investigation is ongoing, but City of Hope has confirmed that the files contained personal and protected health information. The types of data involved varied from individual to individual and included names in combination with one or more of the following data elements: contact information such as phone numbers and email addresses, dates of birth, Social Security numbers, driver’s license numbers, other government identification numbers, financial information such as bank account numbers and credit card details, health insurance information, medical records, medical histories, diagnoses/conditions, health insurance information, and unique internal patient identifiers.
City of Hope said additional and enhanced safeguards were implemented promptly and a leading cybersecurity firm was engaged to review the security of its network, systems, and data. The affected individuals are now being notified by mail. City of Hope is offering two years of complimentary credit monitoring and identity theft protection services to the individuals who had their data exposed in the attack.
“Unfortunately, cybercriminals continue targeting the healthcare industry, seeking to gain identity information they can sell on the dark web. Not only the victims of this attack but everyone should be vigilant regarding their email, financial, and social media accounts and credit monitoring. The breach, involving the personal and health information of many individuals, opens the door to sophisticated spear phishing attacks. Cybercriminals will exploit the detailed data to craft highly personalized and convincing phishing emails, aiming to deceive victims further,” said James McQuiggan, security awareness advocate at cybersecurity company KnowBe4. “Individuals must closely monitor their accounts, credit, and emails for any unusual activity. This incident underscores the necessity of proactive cybersecurity measures and personal vigilance in protecting against identity theft and fraud.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy