Four staff members at Duarte, Calif.-based City of Hope cancer center were the targets of a phishing attack, which resulted in unauthorized access to their email accounts.
The phishing attack occurred the week of Jan. 18, and the health system's investigation found three of the affected email accounts had emails containing protected health information, including patient names, medical record numbers, birth dates, addresses, email addresses, telephone numbers and some clinical information.
City of Hope says the majority of affected patients had just their patient name and medical record number compromised, and just one patient's Social Security number or financial information was exposed.
Additionally, the health system says it appears the purpose of the phishing attack was to send spam emails to other individuals and not to target protected health information.
City of Hope says it notified HHS' Office for Civil Rights as required by law, but has not yet indicated how many individuals were affected by the incident.
More articles on data breaches:
2016 trends poised to transform healthcare
2015 Excellus data breach cost $17.3M: 4 things to know
4 healthcare data breach lessons to take to heart