14,795 Washington University School of Medicine Oncology Patients Impacted Due to Phishing

by
Washington University School of Medicine making 14,795 oncology patients aware that some of their PHI may have been impacted in a phishing attacking during January 2020.A hacker obtained access to the email account of a research supervisor in the Division of Oncology during January after a reply was sent to a phishing email. The group move quickly to address the breach and prevent additional access. As part of this an external forensics firm was engaged to help out with the review.

A thorough interview of emails and email attachments in the account revealed they included the following patient details: Names, dates of birth, medical record info, patient account details, limited treatment and/or clinical information, including diagnoses, suppliers, and laboratory test outcomes. Some patients also had their health insurance information and/or Social Security numbers breached.

Impacted clients have been informed of the breach and anyone who may have had their Social Security number were potentially stolen has been offered with free membership to credit monitoring and identity protection services.

Washington University School of Medicine has put in place a process to improve email security and has conducted further education for its employees to allow them to spot phishing.

Elsewhere, the Doctors Community Medical Center in Maryland discovered a data breach during January 2020 when suspicious activity was spotted in its payroll system.

A review into the breach indicated that a small number of employees had been tricked by phishing emails and had shared their account credentials to the cybercriminals. Along with accessing the staff email accounts, the hackers also had were able to view payroll information.

The investigation revealed that the first accounts were accessed on November 6, 2019, with access available until January 30, 2020.

On February 13, 2020, Doctors Community Medical Center announced that some of the compromised email accounts contained data sheets that included patient data. Due to this a complete review of systems was conducted by third-party investigators was unable to confirm if patient data had been accessed, copied, or shared, although no reports have been submitted to suggest patient information has been improperly used. Since unauthorized data access could not be discarded, patients have been contacted and offered complimentary credit monitoring and identity restoration services to half safeguard their data.

The group is current devising new policies and procedures, with extra safeguards, to prevent potential attacks.