Cancer treatment center South Texas Oncology and Hematology (STOH) based in San Antonio, TX has informed 176,303 patients about a cyberattack discovered on February 15, 2024. STOH has seven centers located in Texas with over 405 employees and approximately generates $8 million in yearly revenue. After discovering the security incident, STOH deactivated its system and engaged a third-party cybersecurity company to help secure its systems and perform a forensic investigation to know the nature and extent of the incident.
On February 19, 2024, STOH reported that an unauthorized party got access to areas of its system that contain the personal data of workers and the protected health information (PHI) of present and past patients and potentially stole those files in the attack. The files are under review and could have included the following exposed data: names, Social Security numbers, dates of birth, and health data.
STOH informed law enforcement and government regulators regarding the attack in March and April and published a breach notice on its web page. The file analysis was done in June 2024. Although no actual or attempted improper use of the breached information was identified, the HIPAA breach notification law requires sending notifications to affected individuals; STOH also provided them with free Single Bureau Credit Monitoring/Single Bureau Credit Score/Single Bureau Credit Report services.
On June 17, 2024, the breach report submitted to the Attorney General of Texas indicated that 176,303 people were impacted. The breach report submitted to the HHS Office for Civil Rights indicated that the PHI of 175,195 patients was exposed.
STOH is determined to protect the privacy of all personal data it maintains. It took action to avoid the same incident in the future by evaluating its guidelines, procedures, and security protocols and improving security with upgraded solutions and new, automated apps. STOH’s IT team also confirmed the scanned backups for any malware before reactivating systems online.