Memorial Sloan Kettering Cancer Center (MSK) based in New York City has reported the compromise of the protected health information (PHI) of 12,274 people due to a phishing attack. On April 26, 2024, MSK discovered suspicious activity in the email account of one employee. The attacker used the account to send an email message to other MSK staff and included a URL to a fake website that made users sign into their MSK accounts and then snagged their credentials as soon as they were inputted. Some workers were misled by the email message since the message was delivered from a legitimate MSK account and seemed to be a legitimate internal request.
A review of the breached email accounts revealed they included some PHI, which includes first and last names, diagnoses, prescription medication names, types of treatment, dates of treatment, and medical record numbers. The contact details, which include address, email, and phone number) and birth dates of some impacted persons were exposed. MSK stated that the breach was restricted to email accounts. The attacker did not access the electronic health records. The driver’s license numbers, Social Security numbers or financial data were not affected.
Immediate action was undertaken when MSK discovered the attack to remove the threat actor from all the breached accounts. Access to the bogus webpage was disabled. All employees were provided with enhanced HIPAA training and special training on email security, especially for the employees fooled by the scam.
MSK submitted this incident report to government regulations enforcement. At this point, it is believed that the data has not been used or misused in any way.
