Cyber Incident Victim: New York Oncology Hematology

In April 2018, New York Oncology Hematology (NYOH) experienced a phishing attack compromising employee email accounts. Between April 20 and April 27, attackers sent deceptive emails mimicking legitimate login pages, tricking 14 employees into disclosing credentials. These credentials allowed unauthorized access to the employees’ email accounts, though each account remained accessible for only a few hours before NYOH’s IT vendor detected the breaches, reset passwords, and terminated access. A secondary incident during the same period involved one additional compromised email account. NYOH engaged a forensic firm to investigate potential data exposure within the affected accounts. The attackers’ method relied on socially engineered phishing messages designed to harvest login details without deploying malware or exploiting technical vulnerabilities in NYOH’s systems.

The forensic review, concluded by October 1, 2018, identified protected health information and personal data within one or more of the breached email accounts but found no definitive evidence that attackers accessed or misused this information. Despite the absence of confirmed data theft, NYOH opted to notify all current patients and employees as a precautionary measure, impacting over 128,400 individuals. Notifications excluded patients and employees who joined NYOH after April 27, 2018. The organization publicized the incident through its website and an FAQ, emphasizing the targeted nature of the phishing campaign and the short-lived access attackers obtained. No ransomware, data destruction, or secondary cyberattacks were linked to this incident in the available reporting.