PHI of 41,000 Cancer Treatment Centers of America Patients Potentially Exposed

Cancer Treatment Centers of America’s Western Regional Medical Center located in Bullhead City, AZ has recent announced that the email account of an employee has been compromised because of a response made to a phishing email.

The phishing email seemed to have originated from the email account of an executive of Cancer Treatment Centers of America. The attacker used social engineering tactics to trick the employee into revealing login credentials to the account.

The attacker was able to access the email account, although only for a short time because IT staff detected the account compromise and reset the user ‘s account password immediately. Nonetheless, for the duration of time that the account was remotely accessible the hacker potentially accessed some messages in the account that contained the protected health information (PHI) of patients.

A leading computer forensics company assisted Cancer Treatment Centers of America with the investigation. Although it can’t be known which email messages were accessed, the investigators located the PHI of 41,948 patients in the compromised email account.

The information contained in the emails differed from one patient to another and included a combination of patients’ name, email address, address, birth date, medical record number, treatment schedules, services received, doctor’s name, cancer type, and medical insurance details. A few Social Security numbers were compromised but the emails didn’t include any financial information.

Cancer Treatment Centers of America offered complimentary credit monitoring and identity theft protection services to patients whose Social Security number was compromised. Employees have been given further training to help them identity phishing emails.

The breach took place on May 2, 2018 and as soon as the CTCA IT Department discovered it, the account password was reset. However, the breach notice on the Cancer Treatment Centers of America website states that the breach was only discovered by CTCA on September 26, 2018. It is unclear why there was such a delay in notifying affected individuals. CTCA submitted a breach notice to the Department of Health and Human Services’ Office for Civil Rights on November 26, 2018.