Heartless hackers break into Florida cancer clinic network – 2.2 million records exposed

Oncology patients' diagnoses, treatment details slurped

US cancer clinic 21st Century Oncology has admitted that a breach on its systems may have exposed private information on 2.2 million patients and employees.

Unidentified hackers were able to access sensitive patient and employee data, including names, SSNs, diagnosis and treatment details and insurance information after breaking into the clinic’s network.

The clinic was informed of the breach by the FBI in November 2015 but the Feds asked 21st Century to hold off from disclosing the incident until a thorough investigation had been completed. This explains why the clinic only went public in admitting the breach this week. Hackers accessed the systems at the beginning of October last year.

In its statement, 21st Century apologised for the incident while trying to quieten concerns by stating that there’s no evidence that the leaked data has been misused. The clinic added that it had “taken additional steps to enhance internal security protocols to help prevent a similar incident in the future”.

We have no indication that the information has been misused in any way; however, out of an abundance of caution, we are notifying the affected patients and offering them a free one-year credit protection services. We also recommend that patients regularly review the explanation of benefits that they receive from their health insurer. If they see services that they did not receive, please contact the insurer immediately.

We deeply regret any concern this may cause our patients, and we want to emphasize that patient care will not be affected by this incident.

The incident marks the second time 21st Century Oncology learned of a data breach from federal authorities. In 2013, federal law enforcement informed the clinic of an insider breach allegedly linked to a tax refund fraud scheme, as databreaches.net reports.

“The fact that 21st Century Oncology has been breached should set off alarm bells to other companies in the healthcare industry,” said Kevin Watson, chief exec at Florida-based Netsurion, a provider of remotely-managed security services. “We know that hackers are in constant pursuit of highly sensitive, personal data and that they are equipped with sophisticated methods to gain access to it.

“It appears that diagnosis and treatment information might have been exposed, which could unlock the potential for significant medical fraud. And if insurance plan information was stolen along with identity information, data thieves would have a good indicator on which identities hold a higher value, based on the value of the insurance plan.” ®

Broader topics

Other stories you might like

  • Healthcare organizations face rising ransomware attacks – and are paying up
    Via their insurance companies, natch

    Healthcare organizations, already an attractive target for ransomware given the highly sensitive data they hold, saw such attacks almost double between 2020 and 2021, according to a survey released this week by Sophos.

    The outfit's team also found that while polled healthcare orgs are quite likely to pay ransoms, they rarely get all of their data returned if they do so. In addition, 78 percent of organizations are signing up for cyber insurance in hopes of reducing their financial risks, and 97 percent of the time the insurance company paid some or all of the ransomware-related costs.

    However, while insurance companies pay out in almost every case and are fueling an improvement in cyber defenses, healthcare organizations – as with other industries – are finding it increasingly difficult to get insured in the first place.

    Continue reading
  • Tim Hortons collected location data constantly, without consent, report finds
    Hortons hears a sue

    From May 2019 through August 2020, the mobile app published by multinational restaurant chain Tim Hortons surveilled customers constantly by gathering their location data without valid consent, according to a Canadian government investigation.

    In a report published Wednesday, Office of the Privacy Commissioner (OPC) of Canada and the privacy commissioners from three provinces – Alberta, British Columbia, and Quebec – presented the results of an inquiry that began shortly after the publication of a June 2020 National Post article.

    That article revealed the Tim Hortons app tracked location data every few minutes even when relegated to the background, and the report compiled by Canadian privacy officials confirmed as much.

    Continue reading
  • Oracle plans US database for electronic health records
    Based in the Big Red cloud, the system will suck up records from hospitals and physicians, says CTO Larry Ellison

    Oracle is planning to build a national database of individuals' health records for the whole United States following its $28.3 billion acquisition of electronic health records specialist Cerner.

    In a presentation, CTO and founder Larry Ellison said electronic health records for individual patients were stored by hospitals and physicians, and not replicated or shared between providers.

    "We're going to solve this problem by putting a unified national health records database on top of all of these thousands of separate hospital databases," Ellison said.

    Continue reading

Biting the hand that feeds IT © 1998–2022