More than 827K patients of the Duarte, CA, based City of Hope (COH), a private, non-profit clinical research center, received formal notification from the organization last week that stated in part, that on or about October 13, 2023, they experienced a major security breach.
More than 827K patients of the Duarte, CA, based City of Hope (COH), a private, non-profit clinical research center, received formal notification from the organization last week that stated in part, that on or about October 13, 2023, they experienced a major security breach. (source: cityofhope.org)

Last Updated on April 9, 2024 by BVN

S.E. Williams

“Protecting the security of information is a responsibility,” noted Equifax, a multinational consumer reporting agency and nearly everyone agrees. 

When you are battling Stage 4 leiomyosarcoma, lung, ovarian, pancreatic, prostate,  breast or one of any other type of cancer, the last thing you need added to your stress level is a breach of your security that may include anything or everything from your name to your banking information to medical details about your most devastating illness and your epic battle to stave off its inevitability.  

But, that is exactly the stress being experienced by more than 827K patients of the Duarte  based City of Hope (COH),  a private, non-profit clinical research center. Last week these patients received formal notification from the organization stating in part, that on or about October 13, 2023,  Further information indicates records were at risk between  September 19, 2023, and continued to October 12, 2023.” COH said it began taking action beginning October 13, 2024.

“Teams that say their cyber-security is really good are the ones to worry about. After our breach, the most difficult issue was deciding when it was safe enough to come back online. I learned that really smart engineers can talk English, under extreme pressure.”

Dame Dido Harding, former CEO of TalkTalk

According to organization officials, in addition to acting to minimize the disruption to operations, it began investigating and assessing the scope of the incident. Although the breach was reported to the California State Attorney General’s office as required by law, it has taken almost six months for the nearly one million individuals impacted by the breach to receive official notification of the incident. 

Why should COH patients be concerned?

COH’s system was accessed by an unauthorized individual(s) who captured an assortment of personal information including social security numbers, financial details, medical records and health insurance information according to the organization. 

COH patients impacted by the data breach received a letter from the organization dated April 2, 2024,  The letter apprised clients of the breach, the type of information exposed, added security measure to prevent such breaches from occurring in the future and the promise of two years security services at no charge as part of its mitigation measures.  

The security breach potentially affected 827,149 patients according to a data breach notification filed with the CA State Attorney General’s office

In a letter dated April 2, 2024, to the near one million COH patients impacted by the data breach, the organization apprised clients of the breach, the type of information at risk, added security measure to prevent such breaches from occurring in the future and the promise of two years security services at no charge as part of its mitigation measures.  (source: unnamed)

Sensitive information potentially exposed included full names, email addresses, phone numbers, birth dates, driver’s license and/or government identification information, bank account numbers, credit card details, health insurance information and patients’ medical records and history. 

In addition to its headquarter’s location in Duarte, CA, COH has offices located across the state, as well  as Arizona, Georgia and Illinois. 

COH engages with more than 11,000 clinicians, researchers and other professionals who provide care and treats to approximately 134,000 patients each year. 

If you are currently a patient of COH or were a patient through October 14, 2023, and have questions about the breach,  please call (866) 495-8913, Monday through Friday from 8:00 a.m. to 5:30 p.m. Central Time, excluding major U.S. holidays. Please have your COH Membership Number ready. You can also visit the City of Hope’s website devoted to the breach  for additional information.

There should be a requirement to let those impacted by a breach to be notified more expeditiously. On July 23, 2023, the Security and Exchange SEC Commission (SEC) adopted rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies requires reporting to the Attorney General within four business days. In addition, although the rules will apply to foreign private companies, it does not appear to apply to private companies within the U.S. Regardless, however, there appears to be no requirement to notify the general public—especially those directly impacted—right away.

I believe it is important that as these rules are implemented there should be a priority placed on public notification. 

Of course, this is just my opinion. I’m keeping it real. 

Stephanie Williams is executive editor of the IE Voice and Black Voice News. A longtime champion for civil rights and justice in all its forms, she is also an advocate for government transparency and committed to ferreting out and exposing government corruption. Stephanie has received awards for her investigative reporting and for her weekly column, Keeping it Real. Contact Stephanie with tips, comments. or concerns at myopinion@ievoice.com.