Recently, Medford, Oregon-based healthcare firm Hematology Oncology Associates notified its patients of a potential data breach that occurred last year. The attackers had gained access to the firm’s systems for over two months.
According to the breach notification, the officials became aware of the attack on March 19, 2019. They learned that an unauthorized person had gained access to some employee email accounts between December 18, 2018, and February 28, 2019. However, the investigation was not able to determine which emails and attachments were viewed by the attackers.
“On March 19, 2019, we learned that an unauthorized person gained access to some employee email accounts on December 18, 2018, and between February 22, 2019, and February 28, 2019. We immediately secured the accounts, began an investigation, and hired a computer forensic firm to assist. The investigation was not able to determine which emails and attachments were viewed by the unauthorized person(s),” said the notification.
What data was involved?
Upon thorough investigation, the officials found that the emails or attachments potentially accessed by the attackers involved a variety of information of patients. This included patients’ names, Social Security numbers, driver’s license numbers, dates of birth, health insurance numbers, financial account numbers, and payment card information.
What actions have been taken?
Passwords of employee email accounts have been reset since the discovery of the breach. In addition, the firm has also planned to reinforce employee training on how to detect and avoid phishing emails.