Nearly 1M medical records feared stolen from City of Hope cancer centers
Is there no cure for this cyber-plague?
Nearly one million individuals' personal details, financial account information, and medical records may well have been stolen from City of Hope systems in the United States.
Despite the name, City of Hope is a healthcare organization that operates cancer hospitals and outpatient centers in Duarte, California, as well as the Atlanta, Chicago, and Phoenix areas. The biz, which also carries out cancer research, disclosed it suffered an IT security breach on its website on Tuesday.
In a notification submitted to the Maine Attorney General's office this week, City of Hope said 827,149 people have been caught up in yet another case of cyber-thieves targeting hospitals and their patients, which in previously separate cases has at times disrupted critical care.
According to an April 2 statement by the health org, a miscreant infiltrated "a subset of our systems," had access to the aforementioned personal records, and stole at least some files between September 19 and October 12, 2023. City of Hope says it became aware of "suspicious activity" a day later, and swears it immediately took action to minimize any disruption to its operations.
We're told that in December last year the org emailed folks who may have had their info siphoned, and since March 25 has been alerting those it has determined were affected by the intrusion.
"There is no indication of any identity theft or fraud occurring as a result of this incident," The Register was told by a spokesperson today. "City of Hope has safely cared for patients during and after the incident."
City of Hope stated the "investigation remains ongoing," and warned in its advisory that any stolen data could include: Names, email addresses, phone numbers, dates of birth, Social Security numbers, driver's license or other government identification, financial details such as bank account number and/or credit card details, health insurance information, medical records and information about medical history and/or associated conditions, and/or unique identifiers to associate individuals with City of Hope such as medical record numbers.
Whew.
"Upon discovery of this incident, City of Hope immediately instituted mitigation measures," the Maine notification stated.
"We then promptly implemented additional and enhanced safeguards and enlisted the support of a leading cybersecurity firm to enhance the security of our network, systems, and data," it continued. "We also launched a comprehensive investigation, identified individuals affected, reported the incident to law enforcement, and notified regulatory bodies."
Affected individuals will receive two years of free identity monitoring services from Kroll.
- INC Ransom claims responsibility for attack on NHS Scotland
- Uncle Sam intervenes as Change Healthcare ransomware fiasco creates mayhem
- Ransomware can mean life or death at hospitals. DEF CON hackers to the rescue?
- Ignore Uncle Sam's 'voluntary' cybersecurity goals for hospitals at your peril
The City of Hope disclosure follows several other major data theft and ransomware infections targeting the healthcare industry, in part because criminals have learned that these critical facilities are more likely to pay a ransom to end the pain as it were.
In late March, crime gang INC Ransom claimed to have stolen three terabytes of data from NHS Scotland. The health org said it managed to contain the infection within a regional branch.
Earlier this year, the ALPHV/BlackCat gang took credit for a ransomware attack on Change Healthcare that disrupted pharmacies' abilities to fill prescriptions and hospitals providing patient care for weeks across America in February and March.
The US government has since launched a probe into Change's data protection practices; it's alleged the ALPHV crew stole 6TB of info from that business.
In response to the growing number of attacks on healthcare and other critical infrastructure sectors in America, last week the Feds posted a notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
Meanwhile, the Department of Health and Human Services has indicated its "voluntary" cybersecurity goals for hospitals may soon become less voluntary. ®