City of Hope Phishing Attack Impacts 3,400 Patients

A recent City of Hope phishing attack has potentially resulted in the PHI of 3,400 patients being accessed by cybercriminals. City of Hope employees were sent phishing emails on May 31 and June 2, 2017. Four employees responded to the emails and disclosed their email credentials to the attackers. Four email accounts were accessed by the attackers.

While the email accounts contained sensitive information, City of Hope officials do not believe the attack was conducted in order to steal data, rather to use the email accounts for further phishing and spam campaigns. That determination was based on an analysis of the actions of the attackers once access to the accounts was gained.

However, while data theft was not believed to be the primary goal, it remains a possibility. The investigation did not uncover any evidence to suggest emails had been accessed and information stolen, but the possibility could not be ruled out. City of Hope was only able to determine the accounts had been accessed.

A third-party computer forensics firm was brought in to investigate the extent and scope of the breach. The investigation determined that only three of the accounts contained the protected health information of patients. Each email in the account had to be checked to determine what information was present and which patients’ PHI had potentially been accessed. City of Hope determined that 3,400 patients were affected.

The PHI in the emails varied patient by patient and included names, email addresses, contact telephone numbers, addresses, dates of service, diagnoses, test results, medication information and dates of birth. No Social Security numbers, financial information or driver’s licenses were exposed.

The City of Hope phishing attack has been reported to the Federal Bureau of Investigation and the Department of Health and Human Services’ Office for Civil Rights and all affected individuals have now been notified of the phishing attack by mail.

The incident was reported just a few days after OCR sent a warning to HIPAA-covered entities of the risk of phishing and how important it is for employees to receive regular security awareness training, specifically to reduce the risk from phishing.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of