Share this article on:
Verity Health System – A Redwood City-based Californian health system comprising six hospitals, the Verity Medical Foundation, and the Verity Physician Network – has discovered that one of its websites was breached by a hacker who gained access to the electronic protected health information (ePHI) of thousands of its former patients.
The unauthorized individual accessed a Verity Medical Foundation (San Jose) Medical Group website that contained a wide range of protected health information on “more than 9,000 patients”.
Verity Health System discovered that its systems had been breached on January 6, 2017. An investigation into the breach was immediately launched and a third-party cybersecurity firm was brought in to conduct a full forensic analysis.
That analysis determined that access to the website was first gained in October 2015 and continued until early January 2017.
Verity Health System reports that Social Security numbers were not stored on the website and financial information was not viewed, apart from the last four digits of credit/debit card numbers. The website that was accessed was no longer in use and upon discovery of the breach, access to the website was immediately terminated and the site was secured.
No medical records were viewed and the breach was limited to ID numbers and patients’ personal information. That information included patients’ names, addresses, email addresses, phone numbers, dates of birth, and medical record numbers.
The incident was reported to the Department of Health and Human Services’ Office for Civil Rights on January 11. The OCR breach notification shows that 10,164 patients were impacted.
According to a statement from Verity Health System, “We are working with a leading cyber-security firm to further evaluate the integrity of our information systems.”
Given the length of time that the system remained accessible, it is fair to assume that patient information has been accessed. However, Verity Health System has not received any reports to suggest that ePHI has been used in an “unauthorized fashion.”
Patients affected by the incident had visited Verity Health System facilities for treatment between 2010 and 2014. All patients affected have been notified of the data breach by mail and have been offered 12 months of credit monitoring services without charge.