Florida-based cancer treatment center 21st Century Oncology Holdings is warning 2.2 million patients that health data and Social Security numbers were stolen from its computer network.
The breach, which was revealed on March 4, occurred last November and included the theft of patient names, Social Security numbers, physicians’ names, diagnoses and treatment information, and insurance information.
21st Century Oncology said it had to delay notifying patients until after an FBI investigation concluded in November. According to the hospital, intruders gained access to its computer network in October.
In a statement, 21st Century Oncology said, there is no indication patients’ actual medical records were accessed. “Upon learning of the intrusion, we immediately hired a leading forensics firm to support our investigation, assess our systems and bolster security,” said the hospital in a statement.
James Chappell, Digital Shadows’ CTO and cofounder, said hackers were most likely targeting personal identifiable information for resale on black markets. “The circumstances in these patients’ lives were already pretty tough,” Chappell said. “I’m surprised 21st Century Oncology weren’t better stewards of their patients’ data given their circumstances.”
21st Century Oncology, based in Fort Myers, Fla., operates 145 cancer treatment centers in the United States and 36 in Latin America.
“21st Century Oncology’s response really misses the mark,” said Ted Harrington, executive partner with Independent Security Evaluators, in an email interview. “They note in their statement that no medical records were lost. But patient names, Social Security numbers and other data were. These are some of the most important aspects of the medical record.”
Harrington said the breach is indicative of larger trends within hospital security. In a report released last month on hospital security, Independent Security Evaluators concludes that hospitals desperately need to shore up their cyber defenses and are vulnerable to attack.
21st Century Oncology is one of several hospitals have been increasingly targeted by criminals. Last month, the Los Angeles-based Hollywood Presbyterian Medical Center paid 40 Bitcoin ($17,000) to attackers that locked down access to the hospital’s electronic medical records system and other computer systems using crypto-ransomware.
Last week, Duarte, Cali.-based City of Hope cancer treatment center reported it had fallen victim to a phishing email attack. The intrusion occurred on Jan. 18, according to the hospital, and resulted in attackers breaking into the email accounts of four of staff members. City of Hope said three of those email accounts contained “patients’ protected health information,” according a statement issued by the company.