Memorial Sloan Kettering Cancer Center (MSK) recently reported a phishing attack that exposed the protected health information of 12,274 individuals. The breach was discovered on April 26, 2024, when suspicious activity was identified in an employee email account. The compromised account was used to send a phishing email to other MSK employees, containing a link to a fake login page that captured user credentials. The email appeared legitimate because it was sent from a valid MSK account, leading several employees to fall victim to the scam.
An analysis of the compromised email accounts revealed that they contained sensitive information, including patients’ names, medical record numbers, diagnoses, medication details, treatment types, and dates of treatment. In some cases, additional personal information such as contact details and dates of birth were also exposed. However, MSK confirmed that medical records were not accessed, and no Social Security numbers or driver’s license numbers were compromised in the breach.
In response to the attack, MSK took immediate action to secure the compromised accounts by locking out the threat actor and blocking access to the spoofed webpage. The swift response helped to limit the impact of the breach and prevent further unauthorized access to employee accounts. MSK also confirmed that the phishing attack was limited to email accounts and did not extend to other systems or records.
To prevent similar incidents in the future, MSK provided enhanced training to its employees on email security, with a particular focus on those who were tricked by the phishing scam. The center emphasized the importance of vigilance in recognizing phishing attempts and took steps to bolster its cybersecurity defenses to protect sensitive information from future threats.
Reference: