Cyber Incident Victim: Cancer Treatment Centers of America

Cancer Treatment Centers of America (CTCA) at Southeastern Regional Medical Center in Atlanta, Georgia, experienced three separate phishing incidents within a six-month period between March and September 2019. The first incident occurred in March 2019 and compromised the email accounts of employees, potentially exposing personal information of 16,819 patients. CTCA notified the U.S. Department of Health and Human Services (HHS) of this breach in May 2019. Two months later, in July 2019, the same facility reported a second phishing incident impacting 4,559 patients that had occurred in May 2019. On September 27, 2019, CTCA disclosed a third phishing incident at the Atlanta center, also affecting 4,559 patients. All three breaches involved employees falling victim to phishing attacks that granted unauthorized access to email accounts containing patient data.

The compromised information did not include Social Security numbers or financial details according to CTCA's statement. Upon discovering each incident, the organization immediately restricted access to affected accounts, launched internal investigations, and engaged a national forensics firm to assist. CTCA implemented enhanced security controls and expanded employee training programs to prevent future breaches, though specific technical improvements were not disclosed publicly. The repeated incidents within a short timeframe raised questions about the effectiveness of these measures, with the organization citing patient privacy concerns as justification for withholding details about security enhancements. These breaches collectively impacted over 25,000 patients across the three events at the Atlanta facility, with additional phishing incidents occurring at other CTCA locations in Arizona and Pennsylvania during the same general timeframe.