128,400 Workers and Patients Impacted by Phishing Attack on Albany Cancer Cure Center

November 22, 2018


New York Oncology Hematology in Albany, NY, has declared that hackers have gained access to 15 worker electronic mail accounts which had the confidential information of as many as 128,400 existing and former patients and workers.

As is usual in phishing attacks, the electronic mails had a hyperlink to an apparently genuine electronic mail login page which requested usernames and passwords. When the information was submitted it was harvested by the attackers.

As per the alternate breach notice on the New York Oncology Hematology website, each compromised electronic mail account only remained accessible for a brief period of time before access was ended. The electronic mail breaches were identified by New York Oncology Hematology’s IT seller, which shut down access to the compromised accounts by changing the passwords.

Access to 14 electronic mail accounts was gained on April 20, and a second attack took place between April 21 and April 27, which led to a further electronic mail account being compromised.

New York Oncology Hematology appointed a third-party computer forensics company to probe the breach and, on October 1, 2018, the firm verified that the compromised electronic mail accounts had the protected health information of patients and secret worker information. The breach was limited to patients and workers who joined New York Oncology Hematology before April 27, 2018.

The kinds of information in the compromised accounts differed from person to person and might have included names, test results, diagnostic codes, medical information, insurance information, dates of birth, electronic mail addresses, home addresses, account numbers, and dates of service. A limited number of patient and worker Social Security and driver’s license numbers were also disclosed.

New York Oncology Hematology has not disclosed any proof to indicate that confidential information was retrieved or stolen by the attackers and no reports have been received to indicate data abuse.

Out of an abundance of caution, New York Oncology Hematology is offering all affected people 12 months of complimentary credit and identity theft checking facilities through Experian. New York Oncology Hematology has since taken steps to improve electronic mail safety.

All people potentially impacted by the occurrence were informed of the breach on November 16, 2018. Given that illegal access was quickly noticed and obstructed, it is unclear why it took nearly 7 months for notification letters to be issued.