US cancer clinic 21st Century Oncology has admitted that a breach on its systems may have exposed private information on 2.2 million patients and employees.
Unidentified hackers were able to access sensitive patient and employee data, including names, SSNs, diagnosis and treatment details and insurance information after breaking into the clinic’s network.
The clinic was informed of the breach by the FBI in November 2015 but the Feds asked 21st Century to hold off from disclosing the incident until a thorough investigation had been completed. This explains why the clinic only went public in admitting the breach this week. Hackers accessed the systems at the beginning of October last year.
In its statement, 21st Century apologised for the incident while trying to quieten concerns by stating that there’s no evidence that the leaked data has been misused. The clinic added that it had “taken additional steps to enhance internal security protocols to help prevent a similar incident in the future”.
We have no indication that the information has been misused in any way; however, out of an abundance of caution, we are notifying the affected patients and offering them a free one-year credit protection services. We also recommend that patients regularly review the explanation of benefits that they receive from their health insurer. If they see services that they did not receive, please contact the insurer immediately.
We deeply regret any concern this may cause our patients, and we want to emphasize that patient care will not be affected by this incident.
The incident marks the second time 21st Century Oncology learned of a data breach from federal authorities. In 2013, federal law enforcement informed the clinic of an insider breach allegedly linked to a tax refund fraud scheme, as databreaches.net reports.
“The fact that 21st Century Oncology has been breached should set off alarm bells to other companies in the healthcare industry,” said Kevin Watson, chief exec at Florida-based Netsurion, a provider of remotely-managed security services. “We know that hackers are in constant pursuit of highly sensitive, personal data and that they are equipped with sophisticated methods to gain access to it.
“It appears that diagnosis and treatment information might have been exposed, which could unlock the potential for significant medical fraud. And if insurance plan information was stolen along with identity information, data thieves would have a good indicator on which identities hold a higher value, based on the value of the insurance plan.” ®