Cancer Treatment Centers of America suffered data breach compromising patients’ PHI

• An employee had provided the network login credentials in response to a phishing email, which allowed for unauthorized access to internal data.
• The compromised email account contained patients’ personal information such as names, phone numbers, addresses, medical record numbers, health insurance information, government IDs, and medical information.

Cancer Treatment Centers of America (CTCA) at Southeastern Regional Medical Center suffered a data breach compromising patients’ Protected Health Information (PHI).

What happened?

A third-party gained unauthorized access to an employee’s email account between March 10 and March 11, 2019. The employee had provided the network login credentials in response to a phishing email, which led to unauthorized access.

What was compromised?

The compromised email account contained patients’ personal information such as names, phone numbers, addresses, medical record numbers, health insurance information, government IDs, and medical information.

However, Social Security numbers and financial information were not involved in the breach.

What was the immediate action taken?

• Upon learning the incident, CTCA Information Security Department promptly changed the employee’s email password.
• CTCA also conducted an extensive investigation and hired a nationally recognized forensics firm to assist them in the investigation.
• The healthcare organization is evaluating security measures to train its employees in identifying suspicious emails.
• It has also requested its patients to review their account statements for any suspicious activity.

“We take our responsibility to safeguard your personal information seriously and remain committed to protecting patient privacy and security. We are evaluating potential security enhancements and continuing to educate our workforce about how to identify suspicious emails to help ensure this does not happen in the future,” the security notice read.