Cancer Centers of America’s Western Regional Medical Center in Bullhead City, Arizona, has recently fallen victim to a phishing attack which has exposed the protected health information (PHI) of over 41,000 individuals.
The attack occurred due to one of its employees responding to a phishing email. The email was designed to appear as if it had been sent from the email account of an executive employee of Cancer Treatment Centers of America executive. The attacker used social engineering techniques to convince the employee into disclosing login credentials to the account.
Using these login credentials, the attacker was able to access the account. However, the IT staff at the facility detected the suspicious information and the attacker was only able to access the account for a short amount of time. The user ‘s account password was reset. However, during the time that the email account was accessible it is possible that some messages containing patients’ protected health information (PHI) was accessed.
Phishing attacks are on the rise, and hospitals or medical facilities are particularly at risk. Hospitals often have a tight infrastructure budget, so their security framework is often not up-to-scratch. Furthermore, due to the potentially high black-market value of medical information, hackers are likely to launch particularly sophisticated attacks against these organisations to increase their likelihood of success. This may include advanced social engineering, particularly well-designed emails, or other ploys to convince the recipient that the email is real and manipulate them into passing on confidential information.
In order to investigate the attack, Cancer Treatment Centers of America called in a third-party computer forensics firm to assist with the investigation. While it was not possible to tell which, if any, emails were accessed, it was discovered that the compromised email account contained the PHI of 41,948 patients.
The information in the emails varied from patient to patient and may have included: Name, address, email address, date of birth, medical record number, treatment dates, facility visited, physician name, type of cancer, and health insurance information. A small number of Social Security numbers were exposed but the emails did not include any financial information.
The investigators have not discovered any evidence that any patient information has been used for malicious purposes. However, as these patients do face a greater risk of being victims of identity fraud, free credit monitoring and identity theft protection services have been offered to all patients whose Social Security number was exposed.
Cancer Treatment Centers of America has since provided further training to employees to help them identify suspicious emails. HIPAA rules require that adequate administrative, technical, and security safeguards are in place at all time to protect confidential information. This requires that employees are trained to spot the signs of suspicious emails, and therefore know the best practices for dealing with potential cyberattacks.
The breach occurred on May 2, 2018 and the CTCA Information Technology Department quickly took action to reset the account; however, the Cancer Treatment Centers of America website breach notice states that CTCA only became aware of the breach of PHI on September 26, 2018.
In accordance with HIPAA’s Breach Notification Rule, the breach was reported to the Department of Health and Human Services’ Office for Civil Rights on November 26, 2018. Those affected by the breach were promptly sent breach notification letters.