Integrated Oncology Network (ION), a PET imaging provider based in Nashville, Tennessee, recently disclosed a phishing attack that occurred in December. This cyber incident resulted in unauthorized access to patient data, prompting the company to notify affected individuals and the Department of Health and Human Services in late June. The breach impacted several PET imaging centers, including locations in Tulsa, Oklahoma, and various cities across Texas, such as Houston, Dallas, and Sugar Land.
The information potentially accessed by the unauthorized third parties was extensive, including dates of birth, diagnoses, and financial account information.
For a smaller subset of individuals, even Social Security numbers were compromised. ION expressed its commitment to data protection in a public notice, stating, “Integrated Oncology Network is committed to protecting the confidentiality of the information we maintain,” and conveyed regret for any inconvenience or concern caused by the incident.
Following a May investigation that confirmed unauthorized access to a “small number” of email and SharePoint accounts, ION began the notification process. Physicians were informed on June 13, and customer alerts commenced on June 27. In response to the breach, ION is advising patients to meticulously review their provider and insurance statements for any discrepancies.
Additionally, the company is implementing enhanced cybersecurity training for its staff to bolster its defenses against future incidents.
The severity of the breach has drawn the attention of legal firms. Schubert Jonckheer & Kolbe announced on July 9 that they have launched an investigation into the cyber incident. The firm estimates that approximately 114,000 individuals may have been impacted by the data breach, and they are now considering filing a lawsuit against Integrated Oncology Network on behalf of the affected parties.
The law firm’s notice highlights the potential risks for individuals whose personal information was compromised, warning of identity theft and other serious privacy violations. It further suggests that affected individuals might be entitled to monetary damages and a court order requiring ION to improve its cybersecurity practices. This incident underscores the critical importance of robust cybersecurity measures for healthcare providers handling sensitive patient information.
Reference:
