Data Breaches at Cancer Treatment Centers of America and Humana


Cancer Treatment Centers of America (CTCA) sent notifications to some of its patients after their protected health information (PHI) were exposed due to a phishing attack and email security breach on July 2019 at its Southeastern Regional Medical Center.

CTCA knew about the phishing attack on July 29, 2019 when there was suspicious activity identified in the email account of a CTCA staff member. The breach investigation findings revealed that the attacker had 7-day access to the account beginning July 22.

Upon learning about the breach, CTCA promptly secured the email account and blocked the unauthorized individual from further accessing the account. No evidence was found whether patient data contained in the email messages and attachments were accessd or copied by the attacker. Nevertheless, such a possibility can’t be ruled out.

The attacker possibly accessed these types of data: names, phone numbers, addresses, birth dates, medical record numbers, medical records, medical insurance details, and other patient identifiers. Social Security numbers were not exposed, hence, CTCA no credit monitoring and identity theft protection services were offered to affected patients. Still, it is advisable for the affected patients to check their explanation of benefits statements for fraudulent transactions and report it, if there’s any.

The breach report submitted to the HHS’ Office for Civil Rights by CTCA indicated that the incident impacted about 3,290 patients.

Since November 2018, CTCA already had five breaches reported to OCR . The first breach report submitted on November 6, 2018 involved the 41,948 patients of Western Regional Medical Center in Arizona. The second breach report was submitted on July 12. The phishing attacks affected 3,904 patients of Eastern Regional Medical Center in Pennsylvania and 3,904 patients of Southeastern Regional Medical Center. Another breach report on May 10, 2019 involved a phishing attack that affected 16,819 patients of Southeastern Regional Medical Center.

Employee-Related Data Breach in Humana

A Humana former employee was terminated from work last December 2018 for sending to a personal email account the details of a customer list. The list includes the information of 500 clients from Lafayette, LA such as member names, telephone numbers, email addresses, address, birth dates, Humana ID numbers, and plan numbers.

The wife of the ex-employee who was investigated confirmed that the list was used to get information on potential clients for an insurance brokerage company. Humana customers received phone calls from April to May 2019. The wife claimed that they did not share the list with any other.

The persons affected by this breach received notification letters and were directed to contact Humana in case of fraudulent use of their information.