- City of Hope in California recently suffered a data breach in which four staff member email accounts were accessed by an unauthorized party through an email phishing attack.
The cancer research and treatment center employees received the phishing emails on May 31, 2017 and June 2, 2017. Limited access to the four affected email accounts occurred on May 31, June 3, and June 5.
City of Hope officials stated there is presently no indication that the breach resulted in the acquisition of patient medical information, and the accounts were likely not accessed to attain patient information.
Instead, investigators believe the accounts were hacked in an effort to send spam emails to other individuals.
Upon discovering evidence of a phishing attack, City of Hope immediately secured the impacted email accounts to prevent further damage and notified local law enforcement of the incident.
Additionally, the cancer treatment center enlisted the help of a leading forensic IT firm to assist in the investigation.
On July 21, 2017 investigators determined three of the affected email accounts contained PHI.
The information included patient names, medical record numbers, dates of birth, addresses, home addresses, email addresses, telephone numbers, and clinical information including diagnoses, test results, and dates of service.
The information of approximately 3,400 patients may have been affected during the incident, according to the OCR data breach reporting tool.
The emails only included the Social Security number of one patient, and no credit card information or financial information was included in the accounts.
“City of Hope maintains a number of technical safeguards designed to protect against phishing incidents and to detect intrusions,” the center said in its online statement. “City of Hope also requires mandatory cybersecurity training of all workforce members. As a part of the investigation of this incident, City of Hope is evaluating its systems and processes to further strengthen its safeguards to protect against such incidents.”
City of Hope has since notified OCR and state agencies of the incident.
In addition, the cancer treatment center has set up a dedicated call center to answer any questions concerned patients may have regarding the status of their information.
A nearly identical incident occurred at City of Hope in 2016, when an unauthorized party accessed four staff member email accounts in a phishing attack.
The cancer treatment center also issued a statement during the 2016 attack stating the individuals accessed the email accounts for the purposes of sending spam emails and not specifically to target patient information.
Email gaffe affects 1.2K Missouri Medicaid participants
On July 20, 2017, Missouri Care, Inc. discovered a security breach potentially impacting the information of 1,223 Missouri HealthNet Medicaid participants.
The breach occurred when personal patient information was inadvertently mailed to an incorrect email address by one of Missouri Care’s subcontractors, O’Neil Printing.
The improper information disclosure was caused by a software programming error, according to Missouri Care officials.
A statement released by the managed care plan organization said no medical or financial information was released as a result of the error. Potentially exposed information included participant names, dates of birth, MO HealthNet identification account numbers, and Missouri Care member identification numbers.
The software programming error affected Missouri Care managed care program correspondence sent on July 11, 2017 and July 13, 2017.
O’Neil Printing has since resolved the software error to avoid similar incidents in the future.
Following the incident, Missouri Care issued notices to all potentially impacted individuals containing information regarding the breach.
Additionally, Missouri Care is providing affected participants free credit monitoring services and identity theft protection services for one year.
Dermatology group suffers instance of unauthorized health data access
Surgical Dermatology Group (SDG) in Alabama recently received notice of a potential data breach in which an unauthorized party gained access to a server at its Birmingham facility.
TekLinks, Inc. is SDG’s cloud hosting and server management provider, and notified SDG on June 7, 2017 that data contained on its server had been potentially accessed.
SDG immediately launched an investigation into the incident and discovered access may have first started on March 23, 2017.
The cloud hosting provider stated all unauthorized access had ceased as of May, and that no malicious access had occurred from April 22 to May 1.
Following the incident, SDG hired a third-party forensic investigator to assess the extent of the damage. The organization has also contacted the FBI to inform them of the incident.
Potentially accessed information may have included patient names, addresses, phone numbers, email addresses, home and work telephone numbers, cell phone numbers, Social Security numbers, medical record numbers, and insurance information.
However, officials stated no credit card or other financial information was stored on the affected server. Additionally, there presently exists no evidence to suggest patient information has been misused in any way.
SDG has since issued notices to potentially impacted individuals with instructions on how to activate free credit monitoring and identity theft protection services provided by the healthcare organization for one year.
SDG has not revealed how many individuals were affected by the breach.
CA medical center suffers ransomware attack
On June 14, 2017, Pacific Alliance Medical Center (PAMC) suffered a ransomware attack when a virus infected its networked computer systems.
The medical center suspects the ransomware attack began shortly prior to the date the incident was discovered.
Upon discovering evidence of a security breach, PAMC initiated an investigation through its IT department. IT experts determined several files on PAMC’s computer systems had been encrypted by a virus.
The medical center immediately shut down its computer systems and launched an initial incident response, which included a thorough a forensic investigation.
Potentially accessed information included patient names, demographic information, dates of birth, Social Security numbers, employment information, health insurance information, and medical information, including treatments and diagnoses.
To date, PAMC officials stated there is no evidence to suggest any unauthorized individuals have viewed or misused patient information in any way.
PAMC issued letters to potentially affected patients with further information regarding the incident.
Additionally, the medical center has informed the California Department of Public Health, the California Attorney General, and OCR of the potential breach.
“We have strengthened our virus detection and other systems and safeguards to prevent unauthorized persons from gaining access to our systems,” PAMC said in its online statement. “We have also taken other steps to try to prevent similar incidents in the future.”
The medical center is also offering potentially affected patients two years of free credit monitoring and identity theft protection services.
PAMC did not state how many patients may have been affected by the breach.