14,795 Oncology Patients Impacted in Washington University School of Medicine Data Breach

Washington University School of Medicine is getting in touch with 14,795 oncology patients to inform them that a portion of their protected health information may have been breached in January 2020. An unauthorized person obtained access to the email account of a research supervisor in the Division of Oncology at some point between January 12, 2020 and January 13, 2020 following a response to a phishing email. Upon identification of the breach, swift action was taken to protect the account and prevent further unauthorized access and a third-party computer forensics firm was engaged to help out with the investigation.An in-depth review of emails and email attachments in the account revealed they included the following patient information: Names, dates of birth, medical record numbers, patient account details, limited treatment and/or clinical information, including diagnoses, supplier names, and laboratory test results. Some patients also had their health insurance information and/or Social Security numbers exposed.

Impacted people are now being made aware of the breach and individuals whose Social Security numbers were potentially stolen have been provided with free membership to credit monitoring and identity protection services.

Washington University School of Medicine has implemented measures to enhance email security and has reinforced education with its staff to help them spot suspicious emails.

Doctors Community Medical Center Suffers Data Breach

Doctors Community Medical Center in Maryland has also been attacked and is making certain patients aware of a breach that may have affected their protected health information.

The data breach was first noticed in January 2020 when suspicious activity was detected in its payroll system. An investigation into the breach showed a small number of employees had been tricked by phishing emails and had shared their account credentials with the attackers. Along with gaining access to the employees’ email accounts, the hackers also had access to employee payroll information.

The investigation showed that the first accounts were breached on November 6, 2019, with access possible until January 30, 2020. Around February 13, 2020, Doctors Community Medical Center revealed that some of the compromised email accounts contained datasheets that included patient information.

A forensic investigation carried out by third-party investigators was unable to confirm if patient data had been accessed, copied, or shared, although no reports have been received to suggest patient information has been improperly used. Unauthorized data access was not confirmed but it was a possibility, so patients have been notified and offered complimentary credit monitoring and identity restoration services.

The range of information that was potentially compromised includes names, addresses, dates of birth, Social Security numbers, driver’s license numbers, military identification details, financial account information, diagnoses, treatment information, prescription data, provider names, medical record numbers, patient IDs, Medicare/Medicaid numbers, health insurance information, treatment cost information, and access details.

The health system is updating its policies and procedures and extra safeguards will be implemented to prevent attacks in the future.

Author: Maria Perez