Cancer Treatment Centers of America (CTCA) suffered another breach involving the e-mail account of one personnel working at its Southeastern Regional Medical Center. The breach on March 10, 2019 happened after a phishing attack. The personnel responded to what seems like a genuine internal email and shared network access details. CTCA learned about the breach the day after it happened and altered the password to protect the account.
The hacker could have accessed the account for no more than two days and viewed the data contained in emails and their attached files. A third-party computer forensics company investigating the incident did not find any evidence that the hacker accessed PHI. Nonetheless, PHI access or data theft is quite possible.
The information contained in the breached email account included names, addresses, government ID numbers, some health data, medical record numbers and medical insurance data. The compromised account did not contain any Social Security number or financial data.
CTCA already sent breach notification letters to the affected people. Recipients are informed of the potential misuse of their information and are instructed to monitor their bank account statements and explanation of benefits statements for unusual billing or transactions.
This phishing attack is the second experienced by CTCA in 6 months. The first report was in December 2018, which potentially compromised the PHI of 41, 948 patients contained in an employee’s email account. The hacker could have accessed the account in less than a day. The breach occurred on May 2, 2018, CTCA became aware of it on September 26, 2018 and reported it in early December.
The most recent incident made CTCA evaluate its email security again and improve it. More employee HIPAA training about security awareness will be provided so that employees could correctly identify phishing emails.
The number of people affected by the breach is still not known. The Vermont Attorney General and the HHS’ Office for Civil Rights already received CTCA’s breach report. However, the incident is not yet posted on OCR’s breach portal.