Cancer Treatment Centers of America notifies patients after phishing attack on employee email account

Cancer Treatment Centers of America has been sending notification letters to patients whose protected health information was in an employee email account that was compromised by a phishing attack.  The employee works at the Southeastern Regional Medical Center.

The attack took place on March 10, 2019, and the attacker was potentially able to access the account between March 10 and March 11.  An investigation did not confirm whether any ePHI had actually been accessed, so CTCA is notifying all those potentially affected. The precise number was not mentioned in their letter.

Unlike their last disclosure of a phishing attack (see this report from December, 2018), CTCA is not offering those affected by this newest incident any complimentary services (perhaps because no SSN or financial account information was exposed). But they want you to know that they take their responsibility to safeguard your data seriously.

This is the second time in six months that they are disclosing a phishing attack that potentially compromised ePHI. After the first attack, did they reduce the amount of PHI employees were able to store in their email accounts? We don’t yet know as we have no numbers for this incident as yet.  But what is CTCA doing to make sure that there is no third successful phishing attack?

About the author: Dissent