Delaware cancer center notifies patients of breach nearly one year after incident

Medical Oncology Hematology Consultants (MOHC), in Newark, Delaware, recently began notifying patients of a data breach that occurred around June 7–8, 2018. According to the notification, on March 14, MOHC concluded its investigation into the incident and determined that protected health information (PHI) may have been accessed by an unauthorized party after a cyberattack on company email.

The PHI that may have been exposed in the breach included:

• Dates of birth
• Financial account information
• Government-issued identification numbers
• Health/medical information
• Names
• Social Security numbers

According to HHS’ Office of Civil Rights breach portal, the incident report was submitted on April 26 and affected 8,591 patients. The notification did not indicate when the breach was discovered, but according to HIPAA’s Breach Notification Rule, breaches affecting more than 500 individuals must be reported within 60 days of discovery. Such notification must be given to the affected individuals and appropriate media outlets in the area.

According to the notification, MOHC used third-party experts to assist in the investigation in coordination with the third-party that hosts its email environment and has not found evidence that the exposed information was misused. MOHC has also established a new email portal for delivering emails from external sources; implemented additional measures to block malware, report suspicious emails, and establish notification alerts for attempts to send unencrypted data; and provided additional data security training to employees.