Cancer Treatment Centers of America has learned that an email account of an employee at its Atlanta-based Southeastern Regional Medical Center was the target in a phishing attack that may have exposed 16,819 patients, according to the HIPAA Journal.
The phishing attack happened on March 10 after an employee provided network login credentials to the malicious email. CTCA was alerted to the breach the following day and changed the password of the employee's account.
Although the account was accessible for less than two days, the hacker may have been able to view patients' names, addresses, medical record numbers, government identification numbers, health insurance information and some medical information. No Social Security numbers or financial information was affected, reports the HIPAA Journal.
This is the second phishing attack to expose CTCA patients in the past six months. A December 2018 data breach exposed the protected health information of 41,948 patients.
Patients who were affected in the March 2019 data breach have been told to monitor their explanation of benefits statement and other account statements.
Editor's note: This stroy was updated on June 4. An orginial version of this article referred to Southeastern Regional Medical Center as Southern Regional Medical Center.