Cyber Incident Victim: Cancer Treatment Centers of America
Date:
Mar 2019
Location:
United States of America
Summary
A healthcare organization experienced a phishing attack compromising an employee email account containing patient protected health information, marking its second such incident within a short period. The unauthorized access potentially exposed electronic health records, though investigators could not confirm actual data exfiltration. The entity notified potentially affected individuals but did not disclose the total number impacted or offer complimentary mitigation services unlike its prior breach response. This recurrence followed another similar phishing incident involving exposed sensitive data six months earlier.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 10, 2019, Cancer Treatment Centers of America (CTCA) experienced a phishing attack targeting an employee email account at its Southeastern Regional Medical Center facility. The attacker gained unauthorized access to the account and maintained potential access until March 11, 2019. CTCA initiated an investigation following the breach but could not definitively determine whether any electronic protected health information (ePHI) stored in the compromised account had been accessed or exfiltrated. As a precautionary measure, the organization opted to notify all patients whose sensitive information was present in the affected email account during the intrusion window. The notification letters did not specify the exact number of impacted individuals or provide detailed information about the types of medical or personal data exposed, though the absence of complimentary identity protection services suggested no Social Security numbers or financial account information was involved in this particular incident.
This marked CTCA's second disclosed phishing-related security event within six months, following a similar breach reported in December 2018. Unlike their response to the previous incident, CTCA did not offer affected individuals complimentary credit monitoring or identity protection services in this case, a decision potentially influenced by the different nature of the exposed data. The organization emphasized its commitment to data protection in communications but provided no specific details about implemented security enhancements following the earlier breach. The repeated occurrence of phishing compromises within such a short timeframe raised questions about the effectiveness of existing email security controls and whether CTCA had reduced the volume of PHI stored in employee email accounts after the first incident. No information was disclosed regarding additional security measures taken to prevent future phishing attacks or whether workforce retraining had occurred following either breach.