Medical Oncology Hematology Consultants (MOHC) is notifying patients that their health data was compromised in a hacking incident that occurred nearly a year ago, in June 2018.
MOHC is a cancer treatment center based in Newark, Delaware. According to the substitute breach notice posted on their website, a hacker compromised an employee email account between June 7 and June 8, 2018. The notification also states that the ‘extensive investigation’ into the breach concluded on March 14, 2019. The investigation concluded that patient information had indeed been exposed during the incident.
The notification does not mention when MOHC first learned of the breach, when it started investigating, or why the breach notifications were sent nearly a year after the breach occurred. According to HIPAA’s Breach Notification Rule, breach notification letters must be sent within 60 days of the discovery of the breach, and without ‘reasonable delay’. As MOHC made no mention of when they discovered the breach, it is unknown whether HIPAA has been violated.
MOHC contracted a third-party computer forensics firm to conduct the investigation. The investigators concluded it was possible that the hacker stole patient data, although they have yet to receive reports suggesting any patient information has been misused.
The breach exposed patient names, dates of birth, Social Security numbers, government ID numbers, financial account information, and health and medical information. As sensitive information was affected by the breach, MOHC has offered patients affected 12 months of membership to credit monitoring and associated services at no cost.
“The practice treats all sensitive information in a confidential manner and is proactive in the careful handling of such information,” officials said in a statement. “We sincerely apologize for this situation and any inconvenience it may cause you.”
Officials have also stated that the organization has taken steps to improve email security including the use of a new, secure portal for the delivery of emails from external sources, additional malware blocking measures, a suspicious email reporting system, encryption of outgoing emails, and the provision of further security awareness training to employees. They have also implemented a safeguard which notifies employees if they are attempting to send emails containing unencrypted sensitive information.
The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is unclear how many patients have been affected by the breach.
This incident is the second large data breach to be reported by MOHC in the past 2 years. In September 2017, MOHC announced that it was the victim of a ransomware attack that impacted 19,000 patients.