A phishing attack on New York Oncology Hematology in Albany, New York resulted to the compromise of 15 employee email accounts and gave the hackers access to the sensitive information contained in the email accounts. A total of about 128,400 present and past patients and employees were affected by the breach.
The phishing attack involved the sending of emails containing a hyperlink going to an email login page that appeared to be legitimate. If anyone enters information, such as usernames and passwords, into the page, attackers harvest the information.
Based on a substitute breach notice posted on the New York Oncology Hematology’s website, the compromised email account was only accessible for a short time and access was terminated immediately. The IT vendor of this cancer treatment center discovered the email breaches and terminated access to the compromised email accounts by resetting the passwords.
The hackers accessed fourteen email accounts on April 20. Another attack occurred from April 21 to April 27, and more email accounts were compromised. A third-party computer forensics company investigated the breach and confirmed on October 1, 2018 that there were patients’ PHI and some employees’ sensitive information contained in the compromised email accounts. The patients and employees impacted by the breach included only those who joined New York Oncology Hematology before April 27, 2018.
The compromised information differed from person to person, but the following may have been included: names, birth dates, home addresses, email addresses, insurance details, medical data, diagnostic codes, lab test results, account numbers, and service dates. The Social Security numbers and driver’s license numbers of some patients and employees were likewise exposed.
New York Oncology Hematology did not receive any evidence regarding the access or theft of sensitive information by the attackers. There was no report of data misuse as well.
As a safety precaution, New York Oncology Hematology offered all affected people one year of free credit and identity theft monitoring services via Experian. The treatment center also took action to improve email security.
All people potentially affected by the breach received breach notification on November 16, 2018. There was no explanation given as to why it took about 7 months to issue notification letters when the unauthorized access was detected and blocked early on.