HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI Exposed in Verity Health System Phishing Attack

Verity Health System, a Redwood City-based network of 6 hospitals in California, has announced that the protected health information of certain patients has potentially been compromised as a result of a November 27, 2018 phishing attack.

The Office 365 credentials of a Verity Health employee were obtained by a hacker as a result of a response to a phishing email. For a period of approximately one and a half hours, an unauthorized individual gained access to the employee’s email account and sent further phishing emails to Verity Health employees and other individuals in the employee’s contact list. The emails contained a hyperlink that directed the recipients to a malicious website. An investigation into the breach confirmed that none of the recipients of the phishing emails had disclosed their login credentials.

The aim of the attacker appeared to be to gain access to further account credentials rather than to obtain sensitive data contained in the compromised account; however, it is possible that some patients’ personal information was viewed or possibly obtained while account access was possible. Fortunately, fast detection and remediation of the security breach reduced the potential for information theft.

An analysis of the emails and email attachments in the account confirmed that they contained some protected health information, but it was not possible to determine whether any of the emails had been opened or copied. No messages in the account were forwarded to other email addresses and no reports have been received to suggest any patient information has been obtained and misused.

Patients whose protected health information has potentially been compromised have now been informed of the breach by mail. The breach notification letters state that the types of information contained in the account included names, phone numbers, addresses, dates of birth, Social Security numbers, dates of service, treatment information, medical conditions, billing codes, lab test results, health plan names and health insurance policy numbers, patient ID numbers, subscriber numbers, claims information, and information relating to payment for medical care.

Upon discovery of the breach, the email account was disabled and the user’s computer was disconnected from the network. All unauthorized emails sent through the compromised account were deleted from the email system and email recipients who had clicked the link in the email also had their email accounts disabled as a precaution.

All users who clicked the link in the phishing emails have received further training and a new training module has been developed for all employees to raise awareness of the threat from phishing. A project has also been created and launched to enhance email security, which includes disabling all unknown URLs sent via email.

While the risk of identity theft and fraud is believed to be low, all individuals affected by the breach have been offered one year of identity theft and credit monitoring services without charge.

The breach has been reported to the California Attorney General’s Office and other relevant authorities. The HHS’ Office for Civil Rights breach portal shows 2,988 individuals have been affected by the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.