A phishing attack on Cancer Treatment Centers of America (CTCA) has compromised patient protected health information (PHI).
CTCA is a national cancer care network, operating five hospitals across the United States. On March 11, 2019, CTCA discovered that a phishing attack comprised the email account of an employee at its Southeastern Regional Medical Center.
CTCA immediately took steps to secure the account and block unauthorized access by changing the email password. An investigation was launched into the breach to determine how it had occurred, for how long the hacker had access to the account, and whether any patient information was compromised. CTCA hired a third-party computer forensics firm to assist with the investigation.
The investigators discovered that the hacker compromised the account on March 10, 2019, giving the hacker roughly a day to access the information. The hacker had spoofed an internal email, fooling the employee into disclosing their account login information.
Despite the window of undetected access, the investigators did not uncover any evidence to suggest the hacker had viewed, downloaded, or otherwise used patient health information. However, it was not possible to rule out PHI access or data theft conclusively.
Investigators determined that the compromised email account contained names, addresses, medical record numbers, government ID numbers, health insurance information, and some medical information. The breach did not affect Social Security numbers or financial information.
Following HIPAA’s Breach Notification Rule, CTCA has notified individuals affected by the breach. Affected patients have been warned of the possibility of misuse of their personal information and advised to carefully monitor their explanation of benefits statements and other account statements for unfamiliar charges or items.
This is the second successful phishing attack on CTCA to be reported in the past year. In December 2018, they reported that an employee’s email account was compromised which contained the protected health information of 41,948 patients.
The breach occurred on May 2, 2018, CTCA was informed about the breach on September 26, 2018, and the breach was announced in early December 2018.
In response to the latest incident, CTCA is reviewing enhanced email security safeguards. CTCA is also providing security awareness training to help employees know how to recognize phishing emails. Considering this is the second successful attack in 12 months, cybersecurity awareness training is essential for CTCA employees to prevent a third attack.
It is currently unclear how many individuals have been affected by the latest breach. The security breach has been reported to the Vermont Attorney General, but the incident has not yet appeared on the HHS’ Office for Civil Rights breach portal.