Phishing Attack on Healthcare Provider Impacts 128K Patient Records

Nov. 21, 2018
New York Oncology Hematology, based in Albany, New York, is notifying its patients and employees that an unauthorized user may have gained access to several employee email accounts, and, potentially, accessed employee or patient data as a result of a phishing attack back in April.

New York Oncology Hematology, based in Albany, New York, is notifying its patients and employees that an unauthorized user may have gained access to several employee email accounts, and, potentially, accessed employee or patient data as a result of a phishing attack back in April.

The healthcare provider posted a message on its website stating, “NYOH has determined an unauthorized user may have gained access to several employee email accounts through a series of targeted phishing emails. While NYOH and its partners are not aware of any actual access to or attempted misuse of patient or employee information related to this incident, we continue to take steps to protect our patients and employees’ information.”

Media coverage by The Daily Gazette puts the number of employees and patients at 128,400.

According to NYOH, the phishing emails sent were sophisticated in that they appeared as a legitimate email login page, which convinced the NYOH personnel to enter their user names and passwords. “These credentials were then harvested and used by the attackers to gain access to the email accounts, which were typically only accessible for a short period of hours before access was terminated,” officials said.

On April 20, 2018, a phishing incident occurred through which an unauthorized user gained access to 14 employee email accounts –typically only for a few hours at most, the organization said. A second incident occurred between April 21, 2018 and April 27, 2018, when one additional email account became accessible. Immediately upon discovery of the incidents, NYOH’s IT vendor, took steps to reset passwords, shutting down access to these accounts.

NYOH was subsequently notified of the suspected unauthorized access by its IT vendor. NYOH initiated its incident response protocol to determine the scope and severity of the phishing attacks. NYOH hired an outside forensic firm to conduct a review of the content of the accounts.

Following a thorough analysis, on October 1, they determined that one or more of the affected email accounts contained protected health information and other personal information of patients or employees, the organization said.

The organization said the following information may have been contained in the affected email accounts: names, dates of birth, home addresses, email addresses, insurance information, medical information such as test results, diagnostic codes, account numbers, and service dates. In very limited circumstances, the accounts also contained patient and employee Social Security and driver’s license numbers.

“While we are not aware of any access to or attempted misuse of patient or employee information related to this incident, out of an abundance of caution, NYOH mailed letters to all NYOH patients and employees on November 16, 2018. This letter includes directions for enrolling in 12 months (or longer as required by law) of free identity theft and credit monitoring services through Experian,” the organization stated.

Email hack at HealthEquity

HealthEquity, a health savings account provider with headquarters in Utah, reported to the U.S. Department of Health and Human Services (HHS) data breach portal that 165,800 patient records were impacted by an email hacking incident.

According to DataBreaches.net, HealthEquity notified the California Attorney General’s Office that on October 5, the company’s IT security team identified unauthorized logins to two HealthEquity employees’ email accounts.  

The investigation was unable to conclusively rule out – or rule in – whether the attacker accessed and viewed emails in those accounts that contained personal and/or protected health information, DataBreaches.net reported.

In a statement to DataBreaches.net, HealthEquity officials stated, “Through a third-party forensic research team, we have discovered that approximately 190,000 may have been impacted. We have begun notifying these individuals and offering 5-year credit monitoring services.”

Sponsored Recommendations

TEST: Ask the Expert: Is Your Patients' Understanding Putting You at Risk?

Effective health literacy in healthcare is essential for ensuring informed consent, reducing medical malpractice risks, and enhancing patient-provider communication. Unfortunately...

From Strategy to Action: The Power of Enterprise Value-Based Care

Ever wonder why your meticulously planned value-based care model hasn't moved beyond the concept stage? You're not alone! Transition from theory to practice with enterprise value...

State of the Market: Transforming Healthcare; Strategies for Building a Resilient and Adaptive Workforce

The U.S. healthcare system is facing critical challenges, including workforce shortages, high turnover, and regulatory pressures. This guide highlights the vital role of technology...

How AI-Native Locating Intelligence Revolutionizes the RTLS market

Discover how leveraging an RTLS solution with artificial intelligence as the location engine can increase efficiency, improve safety, and elevate care without the compromises ...