HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack

Cancer Centers of America’s Western Regional Medical Center in Bullhead City, AZ, has discovered the email account of one of its employees has been compromised as a result of a response to a phishing email.

The phishing email appeared to have been sent from the email account of a Cancer Treatment Centers of America executive and used social engineering techniques to fool the employee into disclosing login credentials to the account.

The attacker was able to access the account, but only for a limited time as the account compromise was detected by IT staff and the user ‘s account password was reset. However, during the time that the email account was accessible it is possible that some messages containing patients’ protected health information (PHI) was accessed.

Cancer Treatment Centers of America called in a nationally recognized computer forensics firm to assist with the investigation. While it was not possible to tell which, if any, emails were accessed, it was discovered that the compromised email account contained the PHI of 41,948 patients.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The information in the emails varied from patient to patient and may have included: Name, address, email address, date of birth, medical record number, treatment dates, facility visited, physician name, type of cancer, and health insurance information. A small number of Social Security numbers were exposed but the emails did not include any financial information.

Free credit monitoring and identity theft protection services have been offered to all patients whose Social Security number was exposed. Cancer Treatment Centers of America has since provided further training to employees to help them identify suspicious emails.

The breach occurred on May 2, 2018 and the CTCA Information Technology Department quickly took action to reset the account; however, the Cancer Treatment Centers of America website breach notice states that CTCA only became aware of the breach of PHI on September 26, 2018.

The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on November 26, 2018.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.