Albany-based New York Oncology Hematology is notifying more than 128,400 employees and patients after discovering that 14 employees fell prey to phishing attacks in April. Although forensic invesgtigation did not find any clear evidence that attackers accessed employee or patient data in the employees’ email accounts, NYOH decided to notify everyone.
As part of their web site notice, they describe the phishing incident:
NYOH has determined an unauthorized user may have gained access to several employee email accounts through a series of targeted phishing emails. While NYOH and its partners are not aware of any actual access to or attempted misuse of patient or employee information related to this incident, we continue to take steps to protect our patients and employees’ information.
The phishing emails sent were sophisticated in that they appeared as a legitimate email login page, which convinced the NYOH personnel to enter their user names and passwords. These credentials were then harvested and used by the attackers to gain access to the email accounts, which were typically only accessible for a short period of hours before access was terminated.
NYOH hired an outside forensic firm to conduct a review of the content of the accounts following the phishing attack, which occurred between April 20 and April 27. Following a thorough analysis, on October 1, they determined that one or more of the affected email accounts contained protected health information and other personal information of patients or employees. Patients and employees who joined NYOH after April 27, 2018, are not involved.
A companion FAQ on the incident contains the following additional details:
On April 20, 2018, a phishing incident occurred through which an unauthorized user gained access to 14 employee email accounts – typically only for a few hours at most. A second incident occurred between April 21, 2018 and April 27, 2018, when one additional email account became accessible. Immediately upon discovery of the incidents, NYOH’s IT vendor, took steps to reset passwords, shutting down access to these accounts.
The FAQ does not specify a precise number of employees or patients potentially impacted, but says that they are notifying all NYOH patients, staff, and employees out of an abundance of caution. Media coverage by The Daily Gazette puts that number at more than 128,400 for employees and patients combined.