The cancer hospital operator and clinical research organization announced a data breach that impacted approximately 827,000 people.
What happened
City of Hope, a cancer research, treatment, and prevention center based in Los Angeles and home to the National Cancer Institute (NCI) recently released a notice of a data breach.
In the breach notice, City of Hope shared that they learned an unauthorized third party had managed to gain access to the organization’s systems on or around October 13th, 2023. The malicious actor copied many files, some of which may have included personal information.
Going deeper
City of Hope became aware of the event on a smaller subset of the systems, allowing the organization to mitigate disruptions to operations.
Through an investigation launched with a cybersecurity firm, City of Hope discovered that the unauthorized organization accessed files between September 19th, 2023 and October 12th, 2023.
The investigation is ongoing. City of Hope believes that copied information may include: names, contact information, dates of birth, Social Security numbers, driver’s license or other government identification, financial details, health insurance information, medical records and information about medical history/health conditions, and unique identifiers given to individuals at City of Hope (like medical record numbers).
The City of Hope has not received any information indicating that identity theft or fraud has occurred as a result of the breach.
The organization began providing notice to potentially impacted individuals via email on Dec. 14th, 2023. On March 25th, 2024, it identified individuals whose personal information was impacted.
What was said
In a statement, a spokesperson said, “City of Hope has safely cared for patients during and after the incident.”
The organization also said, “Upon discovery of this incident, City of Hope immediately instituted mitigation measures,” including additional and enhanced safeguards.
City of Hope is encouraging patients to “remain vigilant to protect against potential fraud and identity theft by reviewing your account statements, monitoring your credit reports, and notifying your financial institutions of any potentially suspicious activity.
Why it matters
Cases like these are becoming all too common in the healthcare field. Unfortunately, many organizations do not adequately monitor their networks for suspicious activity. While malicious actors cannot always be detected quickly, monitoring is still an important safeguard that could prevent actors from copying files over an extended period.
City of Hope has not seen the data misused, but it could be in the future. It’s becoming increasingly common for malicious organizations to combine stolen data to create complete sets of personal information that can be used for identity theft or fraud. Even though those impacted by the data breach have not faced theft or fraud yet, they could be more prone to it in the future.
What’s next
For City of Hope, the investigation continues to unfold. Hopefully, City of Hope will be able to learn how the attack occurred and what became of the stolen data, but that is not always possible.
Hospitals at large should take this as another reminder that security should always be prioritized and constantly improved upon. In today’s environment, even the smallest of vulnerabilities can be exploited in devastating ways.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
