Memorial Sloan Kettering Cancer Center Employees Tricked by Phishing Email
Memorial Sloan Kettering Cancer Center (MSK) has announced that the protected health information of 12,274 individuals has been exposed in a phishing attack. On April 26, 2024, MSK identified suspicious activity in an employee email account. The account was used to send an email to many other MSK employees that contained a link to a spoofed web page that prompted users to log in to their MSK accounts and captured their credentials when they were entered. Several employees were tricked by the email because the message had been sent from a valid MSK account and appeared to be a valid internal request.
An analysis of the compromised email accounts confirmed they contained some protected health information, including first and last names, medical record numbers, diagnoses, medication names, treatment types, and dates of treatment. A subset of the affected individuals also had their contact information (address, email, telephone number) and dates of birth exposed. MSK confirmed that the breach was limited to email accounts, medical records were not accessed, and Social Security numbers and driver’s license numbers were not compromised.
Prompt action was taken when the attack was discovered to lock the threat actor out of all the compromised accounts, and access to the fake webpage was blocked. Further training has been provided to the workforce on email security, including special training for the employees tricked by the scam.
Email Breach Reported by Sheet Metal Workers Local Union #83 Insurance Fund and Annuity Fund
An email account breach has been announced by the Sheet Metal Workers Local Union #83 Insurance Fund and Annuity Fund in New York. The breach was detected on March 25, 2024, and the investigation confirmed that there had been unauthorized access to the email account between March 18, 2024, and March 26, 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
After discovering the attack, all passwords were reset to prevent further unauthorized access, and email policies and procedures were reviewed. The review of the affected email account confirmed that it contained the protected health information of 2,186 individuals. The exposed data varied from individual to individual and may have included one or more of the following: names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, state ID numbers, passport numbers, financial account numbers/routing numbers, financial institution names, credit/debit card information, treatment/diagnosis information, prescription information, provider names, medical record numbers, Medicare/Medicaid ID numbers, health insurance information, and/or treatment costs. The affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services.
