More on Risk Management

53,000 patient records breached after phishing hack on Onco360, CareMed

Three employee email accounts were hacked in November, exposing PHI, including financial data and Social Security numbers for some.

Jessica Davis, Associate Editor

Onco360 Pharmacy's storefront in Buffalo, New York. Credit: Google MapsOnco360 Pharmacy's storefront in Buffalo, New York. Credit: Google Maps

A hacker breached employee email accounts of Onco360 and CareMed Specialty Pharmacy, exposing the data of 53,173 patients, according to Onco360.

Officials discovered suspicious activity on an employee's email account in November. The oncology pharmacy company contracted an outside forensic team to investigate the incident and found a hacker got into three employee email accounts.

Those emails contained patient demographic information, medical and clinical data, health insurance information, and Social Security numbers for some patients of Onco360 and CareMed Specialty Pharmacy.

A small number of patients had financial details exposed.

After the breach, the pharmacy company changed email passwords and provided employees with further training on how to recognize suspicious emails. Further, Onco360 added additional security measures to its email platform.

The breach notice appears to imply the breach occurred by employees opening phishing emails, a common method used by hackers to leverage their way into a health system's network.

Onco360 has contacted all patients impacted by the attack, as well as the U.S. Department of Health and Human Services and law enforcement. Officials also are providing impacted patients with free credit monitoring services and a dedicated call center to field questions.

Twitter: @JessieFDavis
Email the writer:

Show All Comments