HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Verity Health System Announces Details of 10K-Record Data Breach

Verity Health System – A Redwood City-based Californian health system comprising six hospitals, the Verity Medical Foundation, and the Verity Physician Network – has discovered that one of its websites was breached by a hacker who gained access to the electronic protected health information (ePHI) of thousands of its former patients.

The unauthorized individual accessed a Verity Medical Foundation (San Jose) Medical Group website that contained a wide range of protected health information on “more than 9,000 patients”.

Verity Health System discovered that its systems had been breached on January 6, 2017. An investigation into the breach was immediately launched and a third-party cybersecurity firm was brought in to conduct a full forensic analysis.

That analysis determined that access to the website was first gained in October 2015 and continued until early January 2017.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Verity Health System reports that Social Security numbers were not stored on the website and financial information was not viewed, apart from the last four digits of credit/debit card numbers. The website that was accessed was no longer in use and upon discovery of the breach, access to the website was immediately terminated and the site was secured.

No medical records were viewed and the breach was limited to ID numbers and patients’ personal information. That information included patients’ names, addresses, email addresses, phone numbers, dates of birth, and medical record numbers.

The incident was reported to the Department of Health and Human Services’ Office for Civil Rights on January 11. The OCR breach notification shows that 10,164 patients were impacted.

According to a statement from Verity Health System, “We are working with a leading cyber-security firm to further evaluate the integrity of our information systems.”

Given the length of time that the system remained accessible, it is fair to assume that patient information has been accessed. However, Verity Health System has not received any reports to suggest that ePHI has been used in an “unauthorized fashion.”

Patients affected by the incident had visited Verity Health System facilities for treatment between 2010 and 2014. All patients affected have been notified of the data breach by mail and have been offered 12 months of credit monitoring services without charge.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.