Thousands of Patients Impacted by Breaches at Cancer Treatment Centers of America and Edgepark Medical Supplies

Edgepark Medical Supplies (EMS) has discovered an unauthorized individual has gained access to certain customer accounts and changed addresses and had their orders redirected to other addresses. On May 13, 2019, EMS discovered the potential breach and disabled the affected online accounts.

The investigation revealed an unauthorized individual gained access to the accounts by using brute force tactics, often referred to as a password spraying attack. This is an automated, sustained attempt to gain access to accounts by using commonly used passwords and dictionary words until the correct password is guessed.

Once account passwords had been guessed, shipping addresses were changed to redirect orders. It is possible that orders have been placed by the attacker unbeknown to account holders. EMS is still investigating the breach and will be issuing refunds to any customers who have been charged for fraudulent orders.

In addition to fraudulent use of their accounts, the following information may have been viewed/obtained by the hacker: Customer name, address, date of birth, products ordered through the website, and health insurance information.

The HHS’ Office for Civil Rights breach portal shows 6,572 customers were affected by the breach. EMS is reevaluating its security controls and will be implementing additional measures to prevent similar breaches in the future.

This is the third large data breach to be reported by EMS in the past 5 years. Malware was installed on its network in 2014 for 9 months before it was detected. The breach affected 4,230 patients. In January 2018, 4,586 patients had a limited amount of PHI impermissibly disclosed due to a mailing error.

Cancer Treatment Centers of America Reports 8,463-Record Data Breach

An email account breach has occurred at Cancer Treatment Centers of America’s Eastern Regional Medical Center. The breach was detected on June 6, 2019 when unusual activity was detected in an employee’s email account.  The password for the account was immediately changed to prevent further access and an internal investigation was launched. Unauthorized access to the account first occurred on May 4, 2019 and continued until May 15.

It is unclear whether the attacker viewed emails in the account or copied any patient information. No evidence of data theft or fraudulent use of patient information has been found.

An analysis of the compromised account revealed it contained the protected health information of 3,904 patients of the CCTA Eastern Regional Medical Center in Pennsylvania and 4,559 patients of the CCTA Southeastern Regional Medical Center in Georgia.

The types of information exposed varied from patient to patient and may have included the patient’s name along with one or more of the following data elements: Address, phone number, date of birth, medical record number, other patient identifiers, medical information and health insurance information.

CCTA has provided further training to employees to raise awareness of common security threats and technical controls are being evaluated and will be augmented to improve email security.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.