City of Hope, a cancer hospital operator and clinical research organization, disclosed a data breach that potentially compromised the personal and health information of nearly 1 million patients.
In a notice posted to its website April 2, City of Hope said almost six months ago, on Oct. 13, 2023, it became aware of suspicious activity on its systems. The organization immediately instituted mitigation measures to minimize any disruption to its operations, it said in the online notice.
The organization launched an investigation into the incident with the assistance of a leading cybersecurity firm, which determined that hackers accessed its IT systems and obtained copies of some files between Sept. 19, 2023, and Oct. 12, 2023.
The hackers stole files that may have contained patient names, contact information such as email address and phone numbers, dates of birth, Social Security numbers, driver’s license or other government identification, financial details (such as bank account numbers and/or credit card details), health insurance information, medical records and information about medical history and/or associated conditions, and/or unique identifiers to associate individuals with City of Hope, like a medical record number, the organization disclosed.
The investigation remains ongoing and the impacted personal information varies by individual, City of Hope said.
"Upon discovery of this incident, City of Hope immediately instituted mitigation measures. We then promptly implemented additional and enhanced safeguards and enlisted the support of a leading cybersecurity firm to enhance the security of our network, systems, and data," the organization said. "We also launched a comprehensive investigation, identified individuals affected, reported the incident to law enforcement, and notified regulatory bodies."
City of Hope is providing identity monitoring services for two years, at no cost, to individuals whose information may have been involved.
In a notification submitted to the Maine attorney general's office this week, City of Hope said 827,149 people were impacted by the data security incident.
There is no indication of any identity theft or fraud occurring as a result of this incident, a City of Hope spokesperson said.
"City of Hope has safely cared for patients during and after the incident," the spokesperson said via email.
On Dec. 14, the cancer center operator said it provided initial notice of the cybersecurity incident to potentially affected individuals that could be readily notified via email. On March 25, it identified individuals whose personal information was impacted during a detailed, complex and ongoing review of relevant data, it said.
Founded in 1913, City of Hope has grown into one of the largest cancer research and treatment organizations in the U.S. It's national system includes its Los Angeles campus, a network of clinical care locations across Southern California, a new cancer center in Orange County, California, and treatment centers and outpatient facilities in the Atlanta, Chicago and Phoenix areas.
The healthcare industry has seen escalating cyberattacks and data breaches as hackers target the computer systems of providers, health plans and healthcare vendors.
HCA Healthcare disclosed a massive data hack last July that potentially impacted 11 million patients.
There were 725 large security breaches in healthcare reported to the Department of Health and Human Services Office for Civil Rights (OCR) in 2023, beating the record of 720 healthcare security breaches set the previous year, the HIPAA Journal reported. Across those breaches, more than 133 million records were exposed or impermissibly disclosed.
Ardent Health Services, a company that operates 30 hospitals, restored access to Epic after it was hit with a ransomware attack last year that knocked its IT systems offline for two weeks.
McLaren Health Care, Prospect Medical Holdings, a private equity firm that runs 16 hospitals and more than 165 other clinical locations and Lurie Children's Hospital of Chicago were all targeted in cyberattacks in the past year.
The industry is still reeling from the cyberattack against Change Healthcare back in February. The State Department is now offering a $10 million bounty for information on BlackCat or ALPHV, the cybercriminal gang behind the attack on Change Healthcare's systems.