Several employees of New York City-based Memorial Sloan Kettering Cancer Center got tricked by an email phishing scam after a hacker took over one of their co-worker's accounts.
The cybercriminal sent an email from the breached account in April directing staffers to a fake webpage and to input their log-in credentials to view a document, the organization said in a late June notice. Memorial Sloan Kettering told HHS that 12,274 individuals were affected by the breach.
The threat actor then logged into the accounts of the employees who fell for the scam and accessed "limited" employee emails and files containing protected health information such as diagnoses, treatments and medications, as well as personal contact information, the health system said. No Social Security numbers or financial details were breached, and the EHR was not accessed.
Upon discovering the incident, Memorial Sloan Kettering locked the hacker out of the accounts, reset them and disabled the fake webpage, the organization said.
"MSK provided additional training to all staff and gave special training to the employees involved in this incident to help them better spot phishing emails and keep their accounts secure," the health system said in a statement. "MSK also reported this incident to law enforcement. At this time, there is no reason to believe that the information has been used in any way."