Phishing Attacks Reported by Choice Cancer Care Treatment Center and CAH Holdings

Choice Cancer Care Treatment Center (CCCT), a network of cancer care centers in Texas, has discovered the protected health information of 14,673 patients has potentially been accessed by unauthorized individuals as a result of a phishing attack in May 2019.

Suspicious activity in the email account of an employee was detected on May 21, 2019. The subsequent investigation confirmed that the account had been accessed by an unauthorized individual between May 1st and May 21st, 2019. The email account was immediately secured, and a third-party digital forensic firm was engaged to conduct a thorough investigation.

An analysis of CCCT systems confirmed that the breach was confined to the email system and only one email account had been subjected to unauthorized access. A programmatic and manual review of all emails and email attachments in the account revealed the protected health information of certain patients had been exposed. The review was completed on September 18, 2019. CCCT then reviewed all affected records and confirmed the contact information for all individuals affected. Breach notifications were sent to affected individuals in November. Individuals affected by the breach have been offered complimentary credit monitoring and identity theft protection services.

The breach was mostly limited to names, medical information and health insurance information. A very small number of patients also had their Social Security number, driver’s license number, passport number, and/or credit card number exposed.

It was not possible to determine whether the attacker viewed or acquired any patient health information. No reports have been received to suggest there has been any actual or attempted misuse of patient information.

CCCT has reviewed its data security policies and procedures and further training has been provided to employees on data privacy and security.

CAH Holdings Reports Phishing Attack Impacting Several Employee Email Accounts

CAH Holdings Inc., an independent insurance agency that provides regional insurance and risk management services, has discovered the email accounts of several employees have been accessed by unauthorized individuals.

CAH Holdings has not publicly disclosed when the breach occurred nor when it was detected, only stating that a review of the affected employee email accounts was completed on September 16, 2019. That review confirmed that billing related information had potentially been compromised, including names and Social Security numbers and some or all of the following data elements: Date of birth, address, health insurance number, driver’s license number, diagnosis, and treatment plan. That information had been provided to CAH holdings by insurance companies and employers.

A third-party computer forensics firm assisted with the review of the compromised accounts, but it was not possible to determine whether any emails or email attachments had been opened or copied by the attackers.

The breach has prompted CAH Holdings to implement multi-factor authentication on its Office 365 email accounts, and anti-spam controls have also been augmented. CAH Holdings has also hired a Chief Information Security Officer (CISO) who will be performing a thorough review of its security protocols. Additional security measures will be implemented, as appropriate, based on the findings of that review.

No evidence of misuse of sensitive information has been uncovered but, as a precaution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. Affected individuals are also covered by a $1 million insurance reimbursement policy.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.