The Cancer Treatment Centers of America (CTCA) has had its name cross my desk a lot this past year. And that’s not a good thing. There have been five Cancer Treatment Centers of America breach notices that have been publicly disclosed since November 2018. Three of them involved the Southeastern Regional Medical Center in Atlanta, Georgia.
In November 2018, CTCA at Western Regional Medical Center in Phoenix, Arizona notified HHS that 41,948 patients were potentially affected by a phishing incident that occurred in May 2018.
In May 2019, CTCA at Southeastern Regional Medical Center in Georgia notified HHS that 16,819 patients were being notified of a phishing incident that occurred in March 2019.
Two months later, CTCA at Eastern Regional Medical Center in Philadelphia, Pennsylvania notified HHS that 3,904 patients were being notified of a phishing incident that occurred in May. And on the same day, Southeastern Regional Medical Center in Atlanta also notified HHS of yet another phishing incident that they had experienced. This one reportedly impacted 4,559 patients.
On September 27, two months after their second report, CTCA at Southeastern Regional Medical Center notified HHS of yet a third incident involving phishing. This one potentially impacted 4,559 patients.
Not seeing the third breach listed on their web site, DataBreaches.net reached out to CTCA at Southeastern Regional Medical Center to confirm that the third incident really was a new incident and not just a revision of one of their earlier reports. This site also asked the somewhat obvious question as to what CTCA was going to do to prevent these recurring breaches involving phishing.
Abigail Obre, National Manager, External Affairs & Communications for CTCA sent the following statement to DataBreaches.net:
Two employees at CTCA Atlanta recently fell victim to sophisticated phishing attacks that may have involved certain personal information about some of our patients. Upon learning of this suspicious activity, we immediately took measures to curtail the suspected access, promptly opened investigations and retained a nationally recognized forensics firm to assist us. No patient Social Security numbers or financial information were involved. We take our responsibility to safeguard personal information seriously and remain committed to protecting patient privacy and security. We have implemented enhanced controls and heightened our security training programing (sic) to help ensure this does not happen in the future.
I would be surprised if any of my readers actually believed that providing more security training to help prevent phishing attacks is likely to ensure that they do not happen again. So what kinds of enhanced controls is CTCA implementing? They wouldn’t say, stating that
We do not believe providing information about specific enhancements or controls we’ve implemented would be in the best interests of patient privacy.
Well, I can certainly understand not wanting to publicly identify all your security measures, but after three breaches in six months, I think more information might be in order if you want to reassure patients that you’ve got things under control.
And will HHS OCR have anything to say about three incidents in six months? It would seem that they might, but maybe they have different priorities.