PHI Exposed in Moffitt Cancer Center and Los Angeles County Department of Health Services Cyberattacks

Moffitt Cancer Center Impacted by the Advarra Data Breach

Moffitt Cancer Center reported a data security breach that occurred at Advarra. Advarra is Moffitt Cancer Center’s provider of services associated with patient care and treatment as well as a research study. On October 26, 2023, Advarra found suspicious activity in the user account of an employee. The forensic investigation affirmed that an unauthorized person accessed the account on October 25, 2023, and stole a minimal amount of information. On or about February 8, 2024, Advarra finished its file analysis and stated that the exposed information was from the Moffitt Cancer Center.

Advarra notified Moffitt Cancer Center concerning the breach on February 21, 2024, and finished its evaluation of the impacted information on March 13, 2024. Moffitt Cancer Center has affirmed that the attacker did not access its systems and that the data compromised was restricted to names, birth dates, and Social Security numbers. Advarra will inform the impacted persons from Moffitt Cancer Center.

Advarra has submitted the breach report to the HHS’ Office for Civil Rights indicating that 596 people were affected and Moffit Cancer Center has notified the Maine Attorney General about the breach, which affected 26,577 people. Advarra stated it has applied extra procedures to further reinforce its internal files database and is providing the impacted people with free identity theft monitoring via Kroll. Moffitt Cancer Center likewise announced being affected by a data breach at Gunster, Yoakley, and Stewart law firm.

Los Angeles County Department of Health Services Phishing Attack

The Los Angeles County Department of Health Services encountered a phishing attack that resulted in the disclosure of email account credentials by 23 employees after clicking a URL link in an email message that seemed to have been received from a respected sender. An unauthorized third party viewed the email accounts beginning February 19, 2024 until February 20, 2024.

The Department of Health Services stated the phishing attack report was submitted to law enforcement which advised stalling the notification of the impacted people in order to avoid getting in the way of the investigation. Notification letters were sent to the impacted persons who were given details on what they could do to respond to the breach. The types of information compromised differed from one person to another and might have included at least one of these data: first and last name, birth date, telephone number(s), home address, e-mail address, client ID number, dates of service, medical record number, and/or medical details (e.g., diagnosis/condition, treatment, lab test results, prescription drugs), and/or health plan data.

The Department of Health Services has notified all employees telling them to be cautious whenever opening email messages, has improved its HIPAA training on determining and reacting to phishing emails, and has applied additional settings to reduce the risk of more successful cyberattacks.

The breach report was sent to the HHS Office for Civil Rights, however, the incident is not yet posted on the OCR breach website. The number of individuals affected by the breach is still uncertain.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X