Phishing Attack on Hematology Oncology Associates Sees Multiple Email Accounts Breached

Share this article on:

The email accounts of several employees of Medford, OR-based Hematology Oncology Associates. P.C. have been compromised as a result of responses to phishing emails. The phishing attack was detected on March 19, 2018, although the investigation revealed the first account was breached on December 18, 2018. Further accounts were compromised up until February 22, 2019.

Third-party computer forensics experts were retained to investigate the breach, but it was not possible to determine which, if any, emails and attachments had been opened by the attackers.

The breach investigation was concluded on April 20 and confirmed that some of the emails and attachments in the compromised accounts contained patients’ protected health information.

A password reset has been performed to prevent further unauthorized access and additional security awareness training will be provided to employees.

The breach has been reported to the HHS’ Office for Civil Rights and state attorneys general and affected individuals have been offered free membership to Experian’s IdentityWorks credit monitoring and identity theft protection services.

It is currently unclear how many people have been affected by the breach.

Former Penn Medicine Employee Accused of Accessing and Misusing Patient Information

A former medical assistant at Penn Medicine has been accused of accessing patient information without authorization and misusing the information of at least one patient.

The contract employee had been hired through a staffing agency and worked at Penn Medicine between February and April 2019. Penn Medicine learned on April 29, 2019 that the employee had accessed patient information without any legitimate work reason for doing so.

The types of information that could have been viewed included names, demographic information, clinical information and, for certain patients, Social Security numbers. In total, the former employee had accessed 900 patient records during the 3 months of employment.

Penn Medicine spokesperson Lauren Steinfeld issued a statement saying Penn Medicine is aware of one patient whose PHI had been misused, although the nature of that misuse was not disclosed.

All 900 patients have now been notified about the privacy breach. Penn Medicine is also reviewing its use of contractors and staffing agencies and will be taking steps to ensure all employees maintain high professional standards.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On