A cybersecurity breach at a Florida senior care provider went unnoticed for two years and impacted patient data.
Cano Health discovered in April 2020 that some email accounts belonging to its employees had been compromised by threat actors.
After investigating the incident, the healthcare company found that the accounts had been accessed multiple times in a prolonged security breach that took place between May 18, 2018, and April 13, 2020.
The cyber-incident came to light on April 13, when some messages received by one of the compromised accounts were forwarded to a third party outside of the company.
Cano Health found that a total of three employee accounts had been compromised and subsequently took steps to secure them. An examination into the breach revealed that an unknown person or persons may have accessed patients' personal information.
Cano Health operates 46 medical centers located throughout Florida. Earlier this month, the company began notifying patients of a potential data security issue.
In a statement published on their blog June 12, the company said: “Based on its investigation, Cano Health cannot confirm that any emails were accessed by the unknown perpetrator, but because some emails contained documents or messages with personal information, it is notifying all potentially affected individuals out of an abundance of caution.”
The information in the compromised email accounts included patient names, dates of birth, contact information, healthcare information, insurance information, Social Security numbers, government identification numbers, and/or financial account numbers.
“We take the protection of our patients’ information very seriously and sincerely apologize for any concern or inconvenience this incident has caused or may cause to anyone who has been affected,” said Cano's chief executive officer, Dr. Marlow Hernandez-Cano.
“We are committed to continuously updating our information security to guard against new and emerging threats.”
Cano Health said that patients who may have been impacted by the breach would be notified in writing. The company advised these patients to “regularly review and monitor their personal information, accounts, and benefits statements.”
The company is offering complimentary credit monitoring services to patients whose financial information may have been affected by the data breach.