HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Verity Health System Suffers Third Phishing Breach in 3 Months

Verity Health System patients’ PHI was exposed in a phishing attack in 2016, in two further phishing attacks in November 2018, and the 6-hospital health system has now announced yet another attack occurred in January 2019. The latest phishing incident has impacted 14,894 patients. Three employees’ email accounts were compromised in the last three phishing attacks.

Verity Health System explained in its breach notification letters that no evidence was uncovered to suggest any patients’ protected health information had been accessed by unauthorized individuals. The attacks are believed to have been conducted for use in further phishing attacks on other individuals in the organization, although PHI access could not be ruled out.

The types of information exposed in the latest attack includes names, addresses, contact telephone numbers, dates of birth, diagnoses, treatment information, health insurance policy numbers, subscriber numbers, patient ID numbers, and billing codes. Some of the files attached to emails also included Social Security numbers and driver’s license numbers. Some Verity Health employees also had personal information exposed.

Patients affected by the breach had previously received medical services at Verity Health’s O’Connor Hospital, St. Louise Regional Hospital, St. Francis Medical Center, St. Vincent Medical Center, and Seton Medical Center, including the Seton Coastside campus. Some Verity Medical Foundation patients were also affected.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

All patients affected by the breach have now been notified by mail and individuals whose Social Security number or driver’s license number was exposed have been offered complimentary credit monitoring services for 12 months.

In all of the phishing attacks, Verity Health identified the breach quickly and promptly terminated unauthorized access to the compromised accounts. The accounts were then disabled and affected computers were disconnected from the network and all emails that the attackers sent from the compromised accounts were deleted from the email network.

The attacks have prompted Verity Health to deploy a new phishing training module and all employees will be required to complete the training. A new project has also been launched to improve email security, which includes compulsory password resets and disabling unknown URLs.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.