Cancer Treatment Centers of America (CTCA) experienced another breach of the email account of an employee belonging to its Southeastern Regional Medical Center after responding to a phishing email. This happened on March 10, 2019 after the employee responded to what looks like a legitimate internal email and disclosed network login details. CTCA found out about the breach the next day and changed the password to secure the account.
The hacker possibly accessed the account for less than two days and may have viewed information in emails and their attachments. A third-party computer forensics company investigated the incident and found no proof that the hacker viewed any patient health information. Nevertheless, PHI access or data theft can’t be ruled out.
The following information were contained in the compromised email account: names, addresses, government ID numbers, medical record numbers, medical insurance data, and some health data. Social Security numbers or financial data were not included in the compromised account.
CTCA is notifying the people affected by the breach. The people were also warned about the possible misuse of their personal data, hence they need to carefully watch their explanation of benefits statements and account statements for strange charges or transactions.
This phishing attack on CTCA is the second incident to be reported in the last 6 months. The first was in December 2018, which involved the compromise of an employee’s email account containing the protected health information (PHI) of 41,948 patients. The account was only accessible for less than one day. The breach actually took place on May 2, 2018, but CTCA only knew about it on September 26, 2018. The breach was reported in early December.
The latest incident prompted CTCA to further evaluate and enhance its email security. Employee training on security awareness will be continued making certain that employees know how to identify phishing emails.
It is still uncertain how many people were impacted by the most recent breach. CTCA already reported the security breach to the Vermont Attorney General and the HHS’ Office for Civil Rights but its breach portal has not published the incident yet.