- New York Oncology Hematology is notifying 128,400 employees and patients that their patient data may have been breached, after 15 employees fell victim to a phishing campaign in April.
The phishing emails were highly targeted, appearing as a legitimate email login page, which duped employees into entering their login credentials, according to officials. The hackers harvested the credentials to gain access to the email accounts for a few hours before access was terminated by the IT vendor.
After the phishing attacks were identified, officials stopped access by resetting the passwords on the impacted emails. The IT vendor notified NYOH of the breaches, and officials launched their incident response protocol.
Officials hired a forensic firm to review the email accounts and found access occurred April 20, where a hacker had access to 14 separate email accounts. A second hack occurred between April 21 and 27 on an additional account.
Investigators found more than one of the impacted accounts contained protected health data and other personal information on patients and employees. The impacted emails contained names, email addresses, home addresses, insurance details, medical data like test results, diagnostic codes, account numbers and service dates.
For some, Social Security numbers and driver’s license numbers were included. Officials are notifying all employees and patients out of an abundance of caution. Any patients who joined NYOH after April 28, 2018 are not included in the breach.
The investigation concluded on October 1, which could explain the delayed breach notification. Under HIPAA, providers must notify patients, the Department of Health and Human Services and the public within 60 days after the breach was discovered.
All impacted employees and patients have been sent notification letters and will be provided a year of free credit monitoring.
The NYOH breach follows the year-long trend of hackers ramping up the sophistication of phishing attacks and malware. Security researchers have warned healthcare will continue to be targeted, and it will only get worse.
In fact, the Minnesota Department of Human Services suffered a similar fate in June and July, when multiple employees fell victim to targeted spear-phishing campaigns. During the hearing, officials noted they’d experienced more than 1,600 phishing emails targeting government employees.