Cancer treatment provider 21st Century Oncology Holdings has warned 2.2 million patients and employees that their sensitive data may have been stolen in a cyberattack.
The breach was revealed on March 4, but the Florida-based cancer clinic chain was informed of the cyberattack and information theft on November 13, 2015, by the FBI. The US law enforcement agency knew about the attack but asked 21st Century Oncology to keep quiet until an investigation into the incident was complete.
The cyberattackers accessed a key database in early October. Although no details concerning how the cybercriminal managed to compromise the company's network, they were able to access and steal data including patients' names, Social Security numbers, physicians' names, diagnosis and treatment information, as well as insurance records.
As noted by Threatpost, the data breach may impact up to 2.2 million patients and physicians.
However, the clinic chain says there is no evidence to suggest medical records were part of the haul.
In a statement, 21st Century Oncology said:
"Now that law enforcement's request for delay has ended, we are notifying patients as quickly as possible. We continue to work closely with the FBI on its investigation of the intrusion into our system.
In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future."
The medical group is offering those affected a year of free credit monitoring.
21st Century Oncology's data breach is the latest incident which highlights a growing trend of core services being struck by cyberattacks. Medical information and sensitive data linked to these records -- such as names, addresses and Social Security numbers -- are all valuable elements which can be sold off in underground markets and used in identity theft.
Last month, two German hospitals were held to ransom by malware and cybercriminals demanded a fee in Bitcoin to release critical files. While both hospitals refused to bow to the cyberattacker's demands, in a separate incident, the Hollywood Presbyterian Medical Center, also hit with ransomware, paid a $17,000 fee to resume normal operations.
Read on: Top picks
- How to increase your Bitcoin mining profit by 30 percent with less effort
- SMS Android malware roots and hijacks your device - unless you are Russian
- Bug bounties: Which companies offer researchers cash?
- Shodan: The IoT search engine privacy messenger
- What happens when you leak stolen bank data to the Dark Web?