Contrary to what some may think, hackers can have scruples and, in some cases, honorable intentions—it's kind of the whole idea behind white hat hacking and events like
Pwn2Own. But then there are the kind who wouldn't think twice about breaching a cancer center and swipe personal details of hundreds of thousands of patients. You can guess which one we're writing about here.
City of Hope, a non-profit clinical research facility, hospital, and cancer treatment center posted a notice disclosing a data breach in which a third party infiltrated its servers and stole a bunch of data, the extent of which varies by individual.
"On or about October 13, 2023, City of Hope became aware of suspicious activity on a subset of its systems and immediately instituted mitigation measures to minimize any disruption to its operations. City of Hope launched an investigation into the nature and scope of the incident with the assistance of a leading cybersecurity firm, which determined that an unauthorized third party accessed a subset of our systems and obtained copies of some files between September 19, 2023 and October 12, 2023," the security notice states.
It's not unusual for a company to hold off disclosing a security breach while it investigates the extent of the hack. In this case, City of Hope says the investigation remains ongoing, but has confirmed that the stolen data may contain names, contact information (such as phone numbers and email addresses), dates of birth. social security numbers, driver's license or other government IDs, financial details (such as bank account numbers and/or credit card info), health insurance information, medical records, medical histories and conditions, and other unique identifiers.
That all amounts to a treasure trove of illegally-obtained data. While not stated in the
security notice, according to a
disclosure submitted to the Office of the Maine Attorney General, the number of patients impacted by the data breach stands at 827,149.
"Upon discovery of this incident, City of Hope immediately instituted mitigation measures. We then promptly implemented additional and enhanced safeguards and enlisted the support of a leading cybersecurity firm to enhance the security of our network, systems, and data. We also launched a comprehensive investigation, identified individuals affected, reported the incident to law enforcement, and notified regulatory bodies," City of Hope added.
Hitting a cancer center feels like a new low for black hat hackers, though unfortunately it's not. Several years ago, hackers infiltrated the Epilepsy Foundation and sent images of seizure-inducing flashing strobe lights to its social media followers
City of Hope said it is providing identity monitoring services for two years for no cost to those who are impacted by the data breach.