Memorial Sloan Kettering Cancer Center (MSK) was recently notified by a third-party software vendor, Accellion, Inc., of a technical vulnerability in a document-sharing system used at MSK. MSK was one of many Accellion customers whose document-sharing systems were involved in this incident. After a full investigation, we discovered that an unauthorized party was able to access and copy a subset of electronic documents stored on the system.
We have determined that the electronic documents involved contained some personal health information for some patients. We have notified those whose information was involved in this incident, and we sincerely regret any inconvenience or concern this may cause.
We have outlined more information about this technical vulnerability below, along with resources for assistance if you have any questions.
Upon learning of the technical vulnerability from Accellion on January 23, 2021, we immediately took the Accellion document-sharing system offline and launched an investigation. On February 3, 2021, we learned that the vulnerability in the system may have resulted in unauthorized access between January 20-22, 2021 to electronic documents stored on the system.
The document-sharing system was self-contained and MSK’s own IT systems were not involved in this incident. MSK has access to all documents stored on the document-sharing system and we will not be putting it back in service.
As part of our investigation, we carefully analyzed the documents involved to fully understand what information was impacted, and we began the process to notify patients as soon as we determined their information was involved.
Our investigation determined that the electronic documents involved included names and certain other information that varies by individual. For each individual, the data may have included home address, date of birth, and patient information, such as test results or treatment data. While some personal health information was in the documentation, there was no access to MSK’s medical records system or any patient’s full medical record.
For three patients who have already been notified, this information also included their Social Security number or their financial account or credit card information.
We value the privacy and confidentiality of our patients and deeply regret any inconvenience or concern this may cause. On Wednesday, March 31, 2021, we mailed letters to patients whose health information was involved.
Although the information involved was limited, out of an abundance of caution, we recommend impacted individuals review the statements they receive from their healthcare providers and insurance plan. If they see any services that were not received, they should contact their provider or health plan immediately.
If you believe your information may have been involved and do not receive a letter by Thursday, April 15, then please call 1-833-416-0913. Representatives are available Monday through Friday from 9 am - 9 pm, Eastern Daylight Time.
We take information security very seriously and regret any concern this may cause. To help prevent something like this from happening in the future, we have taken the document-sharing system offline permanently.