Jefferson Health says a cloud-based database with information on 1,769 patients treated at the Sidney Kimmel Cancer Center was breached in April during a national attack on a software vendor.
Hackers targeted software used for radiation treatment by oncologists.
Elekta Inc. informed Jefferson of the extent of the cyberattack on May 26 and Jefferson reported it to the federal government on Thursday, toward the end of a 60-day legal window for reporting such attacks. Jefferson also last week publicly disclosed the attack for the first time.
The FBI and other federal agencies warned health-care organizations last October that they could be heightened targets for cyber crimes.
Hacking incidents of patient information reported to the U.S. Department of Health and Human Services have soared 153% to 276 incidents so far this year compared with the same period in 2020, according to a federal database. Under federal rules, organizations report hacks only if they involve more than 500 people.
In early June, the database shows, Temple University Hospital reported a hacking incident that affected 16,356 people — without also making any general public announcement.
The health-care system declined on Monday to provide more information. “We are no longer doing business with the third-party vendor that was breached. We’re not able to provide additional details as the investigation is still open,” a spokesman said in an email.
“The bad guys are doing pretty well right now,” said Leeza Garber, a lecturer on internet law at the Wharton School and an adjunct professor at Drexel.
“There is a huge trend in hacking and cyber crimes,” said Lisa A. Lori, a lawyer at Klehr Harrison Harvey Branzburg LLP. “It’s not just health care. It’s every industry. Hackers are smart, and people may not be paying attention.”
Hackers look to steal information or to hold for ransom organizations whose computer systems have been crippled. Earlier this year, a cyberattack crippled Colonial Pipeline and disrupted gas supplies on the East Coast. Colonial Pipeline paid the hacking group DarkSide $4.4 million to restore its computer systems. U.S. investigators later recovered some of the money.
Jefferson Health said that the April hack was limited and that the intruders did not penetrate its main computer system. The breach took place through Elekta Inc., a Swedish company. The company has not said whether the attack involved ransomware or was limited to attempted data theft.
Elekta, based in Stockholm, has posted a statement on its website about the hack saying that it had contacted cyber experts and law enforcement. “We recognize the impact this might have on customers and their patients,” Elekta said. The company did not respond to an email.
According to media reports, the hack also hit the Yale New Haven Health System, Emory Healthcare in Atlanta, Southcoast Health in Massachusetts, and other health-care systems, all involving cancer data affiliated with Elekta.
Jefferson said that the stolen information may have included patient names, birth dates, medical record numbers, and clinical information related to treatment at Jefferson Health, such as physician name and treatment plan, diagnosis, or prescription information. For some patients, a Social Security number was also included.
Financial account, insurance and payment card information was not involved in the breach.
Jefferson Health is mailing letters to patients whose information may have been involved in this incident. Jefferson Health is also providing people whose Social Security number was involved with complimentary credit monitoring and identity theft protection services. Patients are encouraged to review statements from their health-care providers, and to contact them immediately if they see a listing for any services they did not receive.
Jefferson Health said that the health-care system was reevaluating its relationship with Elekta.