Patients under the care of Newark based Medical Oncology Hematology Consultants (MOHC) are now being notified of the data breach that occurred a year ago.
As per the officials, the cancer provider became a victim to the cyber-attack that occurred by targeting a practice email account on June 7 or 8 2018. The notification received by the patients doesn’t give much insight on when the breach was first discovered. The investigation, however, wasn’t completed until March 14, 2019
MOHC has now become a part of the alarmingly increasing list of the number of healthcare organizations that in the past months have failed to inform a security incident on time. According to HIPAA, organizations are supposed to report breaches within 60 days of discovery, not after the investigation gets closed down.
The MOHC, started the investigation of the breach with the help of a third-party forensics team and its third party email vendor immediately after it was discovered. They recognized the compromised accounts and deduced its contents. It contained the patient data that though varied patient to patient was still sensitive information such as names of patients, social security numbers, government-issued IDs, financial data, dates of birth, medical data and other health information.
The breach is not yet registered to the Department of Health and Human Services under the breach reporting tool, which is why the exact number of victims is still unclear. However, all the patients are promised a year of free credit monitoring and related services by the organization.
“The practice treats all sensitive information in a confidential manner and is proactive in the careful handling of such information,” officials said in a statement. “We sincerely apologize for this situation and any inconvenience it may cause you.”
The officials have reportedly started taking up additional steps to sustain patient data security since after the incident. There is also an implementation of a new email portal which will make sure that the delivery from outside sources as well as alright users when unencrypted sensitive data is being sent. Furthermore, it would also enable added malware- blocking tools, reporting of any suspicious email
Apart from that, MOHC has started the encryption of all outgoing emails and has also trained the staff for additional data security. The officials have revealed their plans of adding multi-factor authentication to the network as well as establishing a better defense against phishing.
The healthcare sector has been forever a victim of email and phishing plagues. Records of about 15 million patients were breached in 2018, while hacking incidents and phishing attacks caused 11.4 million records.
To tone down the risk factor involved due to employee email and phishing, the health organization needs to implement a methodological way to teach the staff the best way to practice security in their routines. Use of new technology and methods of taking email decisions away from the employee should also be taught to the employees.