Cancer Treatment Centers of America (CTCA) is informing some patients about the exposure of their protected health information (PHI) because of a phishing-related email security breach at its Southeastern Regional Medical Center, which happened on July 2019.
CTCA identified the attack on July 29, 2019 upon noticing suspicious activity in a CTCA staff member’s email account. As per the breach investigation, the attacker had accessed the account for about 7 days beginning July 22.
Immediately after being aware of the breach, CTCA secured the user’s email account to block further access by the unauthorized person. There is no evidence found that indicates the attacker accessed or copied patient data in email messages or email attachments. However, the possibility cannot be eliminated.
The attacker potentially accessed the following types of information: names, addresses, telephone numbers, birth dates, medical data, medical record numbers, medical insurance data, and some other patient identifiers. There was no exposure of Social Security numbers, therefore, CTCA did not offer credit monitoring and identity theft protection services. But it is recommended that affected patients should keep track of their explanation of benefits statements and, in case of any indication of fraudulent activity, the incident must be reported.
CTCA submitted the breach report to the HHS’ Office for Civil Rights. The breach report indicated that about 3,290 patients were affected by the said breach.
CTCA already reported a total of five breaches to OCR since November 2018. The first breach report, which was submitted on November 6, 2018, impacted 41,948 Western Regional Medical Center patients in Arizona. The second breach report involving phishing attacks was submitted on July 12. About 3,904 Eastern Regional Medical Center patients in Pennsylvania and 3,904 Southeastern Regional Medical Center patients were impacted by the phishing attacks. Another breach involving a phishing attack was reported on May 10, 2019. About 16,819 Southeastern Regional Medical Center patients were impacted.
Humana Employee-Related Data Breach
An employee in Humana before was dismissed from work in December 2018 for disclosing the information of a customer list to another person by sending it to a personal email account.
Included in the list are the following details of about 500 clients in Lafayette, LA: member names, email addresses, address, phone numbers, birth dates, plan numbers and Humana ID numbers.
An internal investigation of the breach was conducted and the wife of the former employee confirmed that the information in the list was used to get in touch with Humana customers from April to May 2019. It was an attempt to find clients for their insurance brokerage company. The wife assured Humana that the list was not shared with anybody else.
Impacted persons received notification about the breach and were instructed to get in touch with Humana if there seems to be fraudulent use of their data.