June 24, 2024
Please note: This incident does not involve social security numbers or any financial information. The notice below provides you information about the incident and MSK’s response.
What happened?
On April 26, 2024, MSK became aware of suspicious activity in an MSK employee’s email account which occurred on April 22. We learned that the suspicious activity was caused by a user who was not permitted to have access to MSK email. A user like this is commonly called a “threat actor.”
On April 26, the threat actor sent an email from the MSK employee’s account to many other employees. The email (known as a “phishing email”) included a link to a fake webpage that asked people to log into their own MSK accounts to view a document. Because the phishing email was sent from an MSK employee’s email, it looked like a valid internal email. As a result, several employees entered their MSK login information on the fake webpage. The threat actor was then able to use that login information to access the other employees’ accounts.
What information was involved?
The threat actor was only able to access limited employee emails and files. Some of these emails and files contained protected health information. No MSK medical record systems were accessed or otherwise compromised. The protected health information that was accessed included first and last names, medical record numbers, and clinical information such as diagnoses, medication names, treatment types and some dates of treatment. For some individuals, dates of birth and contact information such as address, email or telephone number were also included. The emails and files did not include any social security numbers or financial information.
What is MSK doing in response?
As soon as MSK learned about the incident, we took steps to stop the threat actor. MSK’s data security team quickly locked the threat actor out of all the MSK employees’ accounts and reset the accounts. Our data security team also disabled the fake webpage that the threat actor created and took other steps to prevent the threat actor from getting access again. MSK provided additional training to all staff and gave special training to the employees involved in this incident to help them better spot phishing emails and keep their accounts secure. MSK also reported this incident to law enforcement. At this time, there is no reason to believe that the information has been used in any way.
What can you do?
Because of the nature of this incident and the type of information that was accessed, we do not believe there are any additional steps that affected individuals need to take. MSK provided written notification to individuals whose information was affected by this incident. This posting serves as a further notification in the event the written notification does not reach all affected individuals. If you have any questions, we’ve set up a toll-free call center that is available between and Eastern Time, Monday through Friday, except holidays. Call 1-888-292-0210. We are here to address any concerns you may have.
Respect for our patients’ privacy is an essential part of the high-quality care that we provide at MSK, and we sincerely apologize for this incident.