New York Oncology Hematology, based in Albany, New York, is notifying its patients and employees that an unauthorized user may have gained access to several employee email accounts, and, potentially, accessed employee or patient data as a result of a phishing attack back in April.
The healthcare provider posted a message on its website stating, “NYOH has determined an unauthorized user may have gained access to several employee email accounts through a series of targeted phishing emails. While NYOH and its partners are not aware of any actual access to or attempted misuse of patient or employee information related to this incident, we continue to take steps to protect our patients and employees’ information.”
Media coverage by The Daily Gazette puts the number of employees and patients at 128,400.
According to NYOH, the phishing emails sent were sophisticated in that they appeared as a legitimate email login page, which convinced the NYOH personnel to enter their user names and passwords. “These credentials were then harvested and used by the attackers to gain access to the email accounts, which were typically only accessible for a short period of hours before access was terminated,” officials said.
On April 20, 2018, a phishing incident occurred through which an unauthorized user gained access to 14 employee email accounts –typically only for a few hours at most, the organization said. A second incident occurred between April 21, 2018 and April 27, 2018, when one additional email account became accessible. Immediately upon discovery of the incidents, NYOH’s IT vendor, took steps to reset passwords, shutting down access to these accounts.
NYOH was subsequently notified of the suspected unauthorized access by its IT vendor. NYOH initiated its incident response protocol to determine the scope and severity of the phishing attacks. NYOH hired an outside forensic firm to conduct a review of the content of the accounts.
Following a thorough analysis, on October 1, they determined that one or more of the affected email accounts contained protected health information and other personal information of patients or employees, the organization said.
The organization said the following information may have been contained in the affected email accounts: names, dates of birth, home addresses, email addresses, insurance information, medical information such as test results, diagnostic codes, account numbers, and service dates. In very limited circumstances, the accounts also contained patient and employee Social Security and driver’s license numbers.
“While we are not aware of any access to or attempted misuse of patient or employee information related to this incident, out of an abundance of caution, NYOH mailed letters to all NYOH patients and employees on November 16, 2018. This letter includes directions for enrolling in 12 months (or longer as required by law) of free identity theft and credit monitoring services through Experian,” the organization stated.
Email hack at HealthEquity
HealthEquity, a health savings account provider with headquarters in Utah, reported to the U.S. Department of Health and Human Services (HHS) data breach portal that 165,800 patient records were impacted by an email hacking incident.
According to DataBreaches.net, HealthEquity notified the California Attorney General’s Office that on October 5, the company’s IT security team identified unauthorized logins to two HealthEquity employees’ email accounts.
The investigation was unable to conclusively rule out – or rule in – whether the attacker accessed and viewed emails in those accounts that contained personal and/or protected health information, DataBreaches.net reported.
In a statement to DataBreaches.net, HealthEquity officials stated, “Through a third-party forensic research team, we have discovered that approximately 190,000 may have been impacted. We have begun notifying these individuals and offering 5-year credit monitoring services.”
