Cancer clinic data breach compromised as many as 2.2 million patient records
Wed 9 Mar 2016
Florida-based cancer clinic company, 21st Century Oncology Holdings, has notified 2.2 million patients and employees that their personal data may have been obtained by a malicious third-party in a cyberattack that hit its system last year.
First revealed on 4 March, the cancer treatment chain was informed of the breach, which took place on 13 November 2015, by the FBI. The federal agency knew of the attack but asked that 21st Century Oncology not disclose the incident until a thorough investigation had been conducted.
It was discovered that the cybercriminals had accessed the medical group’s systems at the beginning of October last year. While no details have been revealed about how the attackers were able to breach the network, they were able to access and steal sensitive patient and employee data, including names, social security numbers, diagnosis and treatment details, as well as insurance information.
In an official statement the company provided the following update: ‘Now that law enforcement’s request for delay has ended, we are notifying patients as quickly as possible. We continue to work closely with the FBI on its investigation of the intrusion into our system. In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.’
The healthcare provider is now offering those affected a year of free credit monitoring.
The attack on 21st Century Oncology comes as medical organisations become more alluring to cybercriminals looking to get their hands on sensitive records containing valuable data to sell in underground markets and use in identity theft. Major breaches have included the Anthem hack in February last year, in which 80 million records were stolen from the health insurance firm. An attack on Washington-based health insurer CareFirst followed shortly after in May 2015. In this case 1.1 million customer records were accessed, which contained names, dates of birth, email addresses and ID numbers.
A hacking incident at Planned Parenthood was also flagged in July last year. Anti-abortion extremists were accused of breaching the service’s network and leaking employee details online, compromising staff privacy and safety.
