Phishing Attack Reported by Verity Health’s St. Vincent Medical Center

St. Vincent Medical Center, a part of Verity Health System, has discovered a web email account has been compromised as a result of a response to a phishing email.

The breach occurred on March 15, 2016 and involved the email account of a hospital pathologist. The account compromise was detected on March 26 and the account was secured within hours.

During the time that the unauthorized individual had access to the account, it was used to send phishing emails to internal and external email addresses. Those messages contained malicious attachments and hyperlinks. According to a substitute breach notice provided to the California Attorney General, no other employee accounts were breached as a result of misuse of the email account.

While the intention of the attacker appears to have been to obtain login credentials to other email accounts, during the time that the account was accessible, full access to emails, folders, and email attachments was possible. The investigation into the breach could not confirm whether any patient information in emails and email attachments had been accessed or copied by the attacker.

A review of those emails confirmed they contained the PHI of certain patients including names, addresses, phone numbers, dates of birth, Social Security numbers, medical record numbers, dates of service, medical conditions, treatments provided, lab test results, and health plan names.

Upon discovery of the breach, unauthorized access to the account was terminated and all phishing emails sent from the account were removed from the email system. Employees discovered to have clicked on links in the emails also had their email accounts disabled and secured.

Verity Health System has experienced multiple phishing attacks in the past few months. This incident follows two attacks in late December 2018 and another attack in January. The January attack affected almost 15,000 patients.

Verity Health has now implemented further email security controls to block malicious emails along with multi-factor authentication. Individuals involved have been provided with counseling and re-education and a new security module has been deployed.

According to the HHS’ Office for Civil Rights breach portal, 662 patients were affected by the St. Vincent Medical Center breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.