City of Hope Phishing Attack Affects 3,400 Patients

The latest City of Hope phishing attack has possibly led to the PHI of 3,400 sick persons retrieved by cybercriminals. City of Hope workers were sent phishing electronic mails on May 31 as well as June 2, 2017. Four workers replied to the electronic mails and revealed their email identifications to the attackers. Four electronic mail accounts were retrieved by the attackers.

Although the electronic mail accounts contained confidential information, City of Hope officers don’t think the attack was carried out to thieve data, instead to use the electronic mail accounts for additional spam and phishing campaigns. That resolve was founded on an examination of the activities of the attackers after access to the accounts was achieved.

Nevertheless, though data theft wasn’t thought to be the main objective, it remains a probability. The investigation didn’t reveal any proof to suggest electronic mails had been retrieved and information thieved, however, the probability could not be precluded. City of Hope was just able to verify that the accounts had been retrieved.

A third-party computer forensics organization was hired to probe the level and range of the breach. The inquiry concluded that just 3 of the accounts had the PHI of patients. Each electronic mail in the account needed to be tested to decide what information existed and which patients’ PHI had possibly been retrieved. City of Hope concluded that 3,400 patients were impacted.

The PHI in the electronic mails differed patient by patient as well as included names, medication information, test results, diagnoses, dates of service, addresses, contact telephone numbers, email addresses, and dates of birth. No financial information, Social Security numbers or driver’s licenses were revealed.

The City of Hope phishing attack has been informed to the Division of Health and Human Services’ OCR, the Federal Bureau of Investigation and all affected people have now been alerted of the phishing attack by post.

The case was reported only a few days following OCR sent a notice to HIPAA-covered units of the danger of phishing and how significant it’s for workers to receive regular safety consciousness training, particularly to decrease the danger from phishing.