Analecta Cyber Company Blog: Phishing scam nets patient details from City of Hope employee emails

2016-03-14

Phishing scam nets patient details from City of Hope employee emails

City of Hope is one of the founding members of the National Comprehensive Cancer Network. Established in 1913, the facility is a pioneer in bone marrow transplantation and genetics. Its main hospital is based in Duarte, California, just northeast of Los Angeles but it also has clinics spread across Southern California.

City of Hope is an independent research and treatment center for cancer, diabetes, and other life-threatening diseases. Ranked as one of “America’s Best Hospitals” in cancer by U.S. News & World Report, it is designated as a comprehensive cancer center, which is the highest recognition given by the National Cancer Institute.




A week ago, the cancer research and treatment facility reported that a batch of patient information was illegally accessed. This was done via a “phishing” attack that had targeted the email accounts of most of the site’s staff. These schemes attempt to obtain personal information such as account usernames and passwords through an email which was disguised as from a legitimate source. Upon investigation, it was identified that the data breach happened during the week of Jan. 18. This resulted in an unauthorized access of email accounts to four staff members.

Immediately after discovering the data breach, the facility informed law enforcement and other appropriate agencies. As required by law, they also notified the Department of Health and Human Services, Office for Civil Rights and state agencies.

With the assistance of a forensic information technology firm, City of Hope launched an investigation that uncovered the extent of the breach. It found that three of the four email accounts accessed have protected patient information including names, medical record numbers, dates of birth, postal and email addresses and phone numbers. It also contained clinical information comprised of diagnoses and service dates. The investigation further revealed that the phishing attack appears to be intended just for sending spam emails.
City of Hope alerted the affected patients through notification letters and is taking all the necessary steps to mitigate other possible damages that the breach may cause to those individuals affected.

After securing the accessed email accounts, City of Hope retained the services of the forensic IT firm to evaluate its systems and further strengthen the security measures required to protect sensitive information of their patients.

City of Hope condemns these kinds of cyber attacks and has expressed their apologies to the victims. The facility added that they will continuously exert effort of protecting patient privacy.