New York Oncology Hematology recently announced that it has determined an unauthorized user may have gained access to several employee email accounts through a series of targeted and sophisticated phishing emails earlier this year.
NYOH said they hired an outside forensic firm to conduct a review of the content of the accounts following the phishing attack, which occurred between April 20 and April 27.
Officials said that after a thorough analysis, on October 1 the firm determined that one or more of the affected email accounts contained protected health information and other personal information of patients and employees.
While the forensic investigation found no indication of access to or attempted misuse of patient or employee information related to the incident, out of an abundance of caution, NYOH notified and provided credit reporting services to its more than 128,400 patients and employees.
Officials said patients and employees who joined NYOH after April 27, 2018, are not involved.
“Phishing” is the act of sending an email falsely claiming to be an established legitimate business or personal contact in an attempt to deceive the unsuspecting recipient.
Officials said the phishing emails, in this case, were sophisticated in that they appeared as a legitimate email login page, convincing NYOH personnel to enter their usernames and passwords.
These credentials were then harvested and used by the attackers to gain access to the email accounts, which were typically only accessible for a short period of hours before access was terminated.
“We are deeply sorry for the concern and inconvenience this phishing attack may cause, but NYOH remains committed to protecting the security and confidentiality of our patients’ and employees’ information,” said Ira Zackon, MD, President, NYOH, in a news release. “We have no indication that personal data was accessed or misused. However, we are taking precautionary steps to ensure the safety and peace of mind for those impacted.”
Officials said in this instance, an unauthorized user gained access to NYOH employee email accounts, typically for only a few hours at most. Immediately upon discovery of the incidents, NYOH’s IT vendor took steps to shut down the accounts in question and launched a full forensic investigation.
NYOH’s notification letter contains information on how patients and employees can enroll in free identity theft and credit monitoring services through Experian. NYOH has also activated a hotline for those who believe they may have been involved but did not receive a letter, at 1-877-753-3334.
Given the nature of the phishing attack, patients at all of NYOH’s seven locations are being notified.
Working in partnership with its IT security vendors, NYOH said they have taken additional steps to remediate and enhance the security of email systems.
Additionally, NYOH said they requested help from and is cooperating with federal law enforcement to investigate the phishing attacks.
Date: November 24, 2018
Source: The Record