Notice of Email Phishing Incident

At Weill Cornell Medicine, we are committed to protecting the confidentiality and security of our patients’ information. Regrettably, this notice concerns an incident involving unauthorized access to certain employee emails, which may have contained some patient information. While Weill Cornell has no indication that any patient information has been misused, this notice explains the incident, outlines the measures we have taken in response, and offers steps patients can take as a precaution.

What Happened?

On September 13, 2021, we learned of suspicious email activity and our investigation identified a small number of Weill Cornell email accounts with unauthorized access between September 9 and September 23, 2021. We believe the access occurred as part of an effort to perpetuate phishing attempts, not to access patient information. However, in the process of carrying out this attempt, some patient information may have been accessible.  

What Information Was Involved?

The emails may have contained one or more of the following: patient name, address, email address, date of birth, health insurance information, medical record number, and/or clinical information related to care received at Weill Cornell. In limited instances, patients’ Social Security numbers were also included. Importantly, this incident was limited to email, and Weill Cornell’s electronic medical records were not accessible. This incident affected only a small percentage of Weill Cornell patients.

What We Are Doing and What You Can Do

Beginning November 12, 2021, we are mailing notification letters to affected patients. We also have established a dedicated call center regarding this specific matter that affected individuals can contact for more information, available at 1 (833) 325-1778, Monday through Friday between 9 a.m. and 9 p.m. Eastern Time, excluding major U.S. holidays. For the limited number of patients whose Social Security number was contained in the emails, Weill Cornell is offering complimentary credit monitoring and identity protection services. Weill Cornell also recommends patients review statements they receive from their healthcare providers and health insurer, and report any inaccuracies to the provider or insurer immediately.

Weill Cornell deeply regrets any concern this incident may cause. We take the confidentiality and security of our patients' information very seriously, and are continuing to expand our extensive security measures, such as requiring all devices to utilize the multi-factor authentication process, and providing additional employee training on how to identify and avoid suspicious emails.