Sophisticated attack at New York Oncology Hematology affects 128,000

A sophisticated phishing incident at a New York oncology and hematology practice went undetected for a week, affecting 128,400 individuals.

Fourteen employee email accounts at New York Oncology Hematology in the Albany region fell victim to attackers between April 20 and April 27 as employees clicked on phishing emails, which exposed protected health information in the email accounts.

New York Oncology 2.jpg
New York Oncology Hematology

“The phishing emails were sophisticated in that they appeared as a legitimate email login page, which convinced the NYOH personnel to enter their usernames and passwords,” the practice explained in a patient notification letter. “These credentials were then harvested and used by the attackers to gain access to email accounts, which were typically only accessible for a short period of hours before access was terminated.”

Also See: 10 strategies to reduce the threat of phishing attacks

New York Oncology Hematology hired forensic specialists to assess the breach and types of data put at risk, which included names, email accounts, dates of birth, home addresses, insurance information, test results, diagnostic codes, account numbers, service dates as well as some patient and employee Social Security and driver’s license numbers.

“While we are not aware of any actual access to or attempted misuse of patient or employee information related to this incident, NYHO is notifying all patients, staff and employees out of an abundance of caution,” the practice explained.

Affected individuals are being offered a year of identity theft protection and credit monitoring services through Experian.

Subsequent improvements to data security following the incident included active monitoring of affected systems, regular password resets, additional employee training and new email protocols. The provider organization, 32 physicians working at 7 locations, continues to get help from federal law enforcement agencies to investigate the phishing attacks. No additional information was available.

For reprint and licensing requests for this article, click here.