Cancer Treatment Centers of America is notifying 104,808 of its Midwestern Regional Medical Center patients regarding the potential access by an unauthorized person to some of their protected health information (PHI) that is included in an email account.
CTCA identified suspicious activity in an email account on January 18, 2021. The healthcare provider secured the account immediately to stop further unauthorized access and engaged a third-party forensics company to help investigate and find out the nature and extent of the data breach.
The investigation showed that the hacker accessed the email account on January 12, 2021 and possibly had access to the account until January 18 when CTCA performed a password reset. It cannot be confirmed which emails if any, the hacker accessed. It is also not possible to eliminate data theft.
An analysis of the compromised account showed it included patient names, medical insurance data, CTCA account numbers, medical record numbers, and some medical data. There was no compromise of any Social Security number or financial data.
CTCA has put in place more security options to avoid more breaches and supplemental security improvements are being considered. The healthcare provider sent notifications to the affected persons on March 18, 2021.
Vendor Breach Impacts Over 9,000 Insulet Patients
The medical device firm Insulet Corporation based in Acton, MA is notifying 9,050 patients regarding a data breach that occurred at Cornerstone On-Demand, which is an online customer training vendor.
The vendor notified Insulet around January 19, 2020 regarding the unauthorized access by an individual to Cornerstone’s systems on January 13, 2021 and the potential download of data including the PHI of Insulet patients.
Data saved on the breached system contained names, email addresses, online course details and Insulet customer training records. When Cornerstone discovered the breach, its systems were quickly secured to stop continuing unauthorized access. Extra security procedures were since enforced to avoid more attacks. Insulet stated it has started shifting to a new internet training vendor and will tell Cornerstone to erase all its information as soon as the move has been done.