Notice of Data Incident

Roswell Park Comprehensive Cancer Center has contacted approximately 11,000 patients to notify them of a data security event that could have involved their protected health information. We are providing public notice out of an abundance of caution so potentially affected individuals are informed about the incident and how they can obtain additional information.

What Happened? At the end of October 2024, an unauthorized and unidentified actor stole a Roswell Park employee’s phone. Immediately upon notification to our organization of this event, Roswell Park immediately disabled the device and launched an investigation. As the investigation revealed that the employee had a Roswell Park email account accessible through the Microsoft Outlook app, Roswell Park quickly contacted Microsoft support to gather as much information as possible.

What Information Was Involved? While there is no evidence that the email account was accessed or that any patient information was viewed or misused, that possibility exists. While we cannot ascertain whether or to what extent any email messages containing private health information were viewed or accessed, there is the possibility that the unauthorized actor may have had access to a limited amount of protected health information included in the email messages.

This event did not impact any of Roswell Park’s systems or patient care. The unauthorized actor did not have access to any part of Roswell Park’s electronic medical records. No Social Security numbers or financial information could have been viewed or accessed. We have determined that the type of information that could potentially have been viewed or accessed included name, medical record number, date of birth, dates associated with treatment, encounter number, and age.

What Are We Doing? We take this incident very seriously. In addition to directly notifying the individuals who could potentially have been impacted, we are taking all appropriate measures to review our information security practices and processes. The data security safeguards we have in place allowed us to take prompt action to limit the impact of the unauthorized access.

Roswell Park is continuing to work with Microsoft to help identify opportunities to help strengthen our security policies and procedures regarding mobile devices. We have also taken steps to retrain our workforce on the importance of securing and protecting their mobile devices.

What You Can Do? Although financial information was not involved, you may contact the credit agencies below if you have any concerns.

  • Experian: (888) 397-3742; www.experian.com; PO Box 9532, Allen, TX 75013
  • TransUnion: (800) 916-8800; www.transunion.com; Fraud Victim Assistance Division, PO Box 6790, Fullerton, CA 92834-6790
  • Equifax: (800) 525-6285; www.equifax.com; PO 740241, Atlanta, GA 30374-0241

For More Information. If you have any questions, you can contact Roswell Park at 1-800-ROSWELL.