Phishing Attacks on Choice Cancer Care Treatment Center and CAH Holdings Impacts PHI

A phishing attack on Choice Cancer Care Treatment Center (CCCT) in May 2019 resulted in the potential access of the protected health information (PHI) of some patients by unauthorized people in May 2019. CCCT is a Texas-based network of cancer care centers.

CCCT detected suspicious activity in an employee’s email account of an employee on May 21, 2019. According to the following investigation, an unauthorized person accessed the account from May 1 to May 21, 2019. CCCT secured the email account immediately and sought the assistance of a third-party digital forensic company to carry out a comprehensive investigation.

After analyzing the CCCT systems, the investigators confirmed that the breach only affected the email system and just one email account had unauthorized accessed. The emails and attachments in the account had programmatic and manual review and it was found out that the PHI of some patients were exposed. The completed review on September 18, 2019 included all patient records affected and the verification of the contact details for all people affected. CCCT sent breach notifications to the affected people in November and offered them free credit monitoring and identity theft protection services.

The breached information was limited to patient names, medical data and medical insurance details. The Social Security number, passport number, driver’s license number, and/or credit card number of a few patients were also exposed. There’s no way to be certain if the attacker accessed or obtained any PHI. No report was received that indicate any actual or attempted improper use of patient data.

CCCT already re-assessed its data security policies and procedures and provided further HIPAA training on data privacy and security to employees.

Phishing Attack on CAH Holdings

CAH Holdings Inc. is an independent insurance provider of regional insurance and risk management services. A phishing attack on the company resulted in the access of the email accounts of a number of employees by unauthorized persons.

CAH Holdings did not publicly mention the date when the breach occurred or when it was detected. The report just stated that it completed a review of the impacted employee email accounts on September 16, 2019. As per the review, there was compromise of billing related information given to CAH holdings by insurance providers and employers. It included names, Social Security numbers and one or more of these data elements: birth date, address, medical insurance number, driver’s license number, medical diagnosis, and treatment program.

A third-party computer forensics company helped review the compromised accounts, however it cannot be determined if the attackers had opened or copied any email messages or attachments.

Because of the breach, CAH Holdings implemented more anti-spam controls and multi-factor authentication on its Office 365 email accounts. CAH Holdings additionally hired a Chief Information Security Officer (CISO) to do a complete review of its security practices. More security measures are going to be integrated based on the review findings.

There is no proof that sensitive information was misused but, as a safety measure, all affected people received free credit monitoring and identity theft protection services. The affected people are also protected by an insurance reimbursement policy worth $1 million.

About Christine Garcia 1295 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA