PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack

Share this article on:

Cancer Centers of America’s Western Regional Medical Center in Bullhead City, AZ, has discovered the email account of one of its employees has been compromised as a result of a response to a phishing email.

The phishing email appeared to have been sent from the email account of a Cancer Treatment Centers of America executive and used social engineering techniques to fool the employee into disclosing login credentials to the account.

The attacker was able to access the account, but only for a limited time as the account compromise was detected by IT staff and the user ‘s account password was reset. However, during the time that the email account was accessible it is possible that some messages containing patients’ protected health information (PHI) was accessed.

Cancer Treatment Centers of America called in a nationally recognized computer forensics firm to assist with the investigation. While it was not possible to tell which, if any, emails were accessed, it was discovered that the compromised email account contained the PHI of 41,948 patients.

The information in the emails varied from patient to patient and may have included: Name, address, email address, date of birth, medical record number, treatment dates, facility visited, physician name, type of cancer, and health insurance information. A small number of Social Security numbers were exposed but the emails did not include any financial information.

Free credit monitoring and identity theft protection services have been offered to all patients whose Social Security number was exposed. Cancer Treatment Centers of America has since provided further training to employees to help them identify suspicious emails.

The breach occurred on May 2, 2018 and the CTCA Information Technology Department quickly took action to reset the account; however, the Cancer Treatment Centers of America website breach notice states that CTCA only became aware of the breach of PHI on September 26, 2018.

The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on November 26, 2018.

Author: HIPAA Journal

Share This Post On