City of Hope Phishing Attack Affects 3,400 Patients

A recent City of Hope phishing attack has potentially led to the PHI of 3,400 patients retrieved by cybercriminals. City of Hope employees were sent phishing electronic mails on May 31 and June 2, 2017. Four workers responded to the electronic mails and disclosed their email identifications to the assailants. Four email accounts were retrieved by the assailants.

While the electronic mail accounts contained sensitive information, City of Hope officers do not think the attack was conducted to steal data, instead to use the email accounts for additional phishing and spam campaigns. That resolve based on an examination of the actions of the assailants after access to the accounts was gained.


Nevertheless, while data theft wasn’t believed to be the main goal, it remains a probability. The investigation did not reveal any evidence to suggest electronic mails had been accessed and information, thieved, but the probability could not be ruled out. City of Hope was just able to determine the accounts had been retrieved.


A third-party computer forensics organization was brought in to probe the extent and range of the breach. The inquiry determined that just 3 of the accounts contained the PHI of patients. Each email in the account needed to be checked to decide what information was present and which patients’ PHI had potentially been retrieved. City of Hope determined that 3,400 patients were impacted.


The PHI in the electronic mails differed patient by patient included names, email addresses, addresses, dates of service, test results, contact telephone numbers, diagnoses, medication information, and dates of birth. No Social Security numbers, driver’s licenses or financial information were exposed.


The City of Hope phishing attack has been informed to Department of Health and Human Services’ OCR, the National Bureau of Inquiry and all affected individuals have now been alerted to the phishing attack by post.


The incident was reported only a few days after OCR sent a notice to HIPAA-covered units of the risk of phishing and how significant it is for workers to receive regular security consciousness training, specifically to decrease the risk from phishing.