- Cancer Treatment Centers of America at Western Regional Medical Center is notifying about 41,948 patients that their personal data was potentially breached by a phishing attack.
On September 26, officials discovered an email account was hacked, after an employee fell victim to a phishing attack on May 2. The employee shared their network log-in credentials in response to a fraudulent email that appeared to be sent from a CTCA executive.
The investigation determined that an unauthorized user could have potentially accessed the account for a short time on May 2, as the employee was prompted to change their password within hours of the attack at the direction of the IT team. After which, the compromised credentials could no longer be used.
However, the investigation could not rule out access or what information was seen by the hacker before the password was changed.
The emails contained typical patient information like names and addresses, along with sensitive data like the medical record number, facility visited, treatment date, physician name, cancer type and or health data. Some Social Security numbers were included in the breached data.
CTCA is notifying all impacted patients and providing free credit monitoring and identity protection services for those whose Social Security number was involved. Officials have also provided employees with further education on how to identify suspicious emails.
This is just the latest in a long line of major breaches caused by phishing attacks. Targeted phishing attacks have increased throughout the course of 2018. In fact, phishing attacks were the greatest cyber threat of the third quarter, with at least 10 breaches, according to the Protenus Breach Barometer.
Just last week, Georgia Spine and Orthopaedics of Atlanta began notifying 7,000 patients of a breach caused by a phishing attack on an employee account. And New York Oncology Hematology began notifying 128,000 patients last month of a breach caused by 15 employees falling victim to targeted phishing attacks in April.
This story has been updated to reflect the correct number of patients impacted by the breach.