Verity Health System Suffers Third Phishing Breach in 3 Months

Share this article on:

Verity Health System patients’ PHI was exposed in a phishing attack in 2016, in two further phishing attacks in November 2018, and the 6-hospital health system has now announced yet another attack occurred in January 2019. The latest phishing incident has impacted 14,894 patients. Three employees’ email accounts were compromised in the last three phishing attacks.

Verity Health System explained in its breach notification letters that no evidence was uncovered to suggest any patients’ protected health information had been accessed by unauthorized individuals. The attacks are believed to have been conducted for use in further phishing attacks on other individuals in the organization, although PHI access could not be ruled out.

The types of information exposed in the latest attack includes names, addresses, contact telephone numbers, dates of birth, diagnoses, treatment information, health insurance policy numbers, subscriber numbers, patient ID numbers, and billing codes. Some of the files attached to emails also included Social Security numbers and driver’s license numbers. Some Verity Health employees also had personal information exposed.

Patients affected by the breach had previously received medical services at Verity Health’s O’Connor Hospital, St. Louise Regional Hospital, St. Francis Medical Center, St. Vincent Medical Center, and Seton Medical Center, including the Seton Coastside campus. Some Verity Medical Foundation patients were also affected.

All patients affected by the breach have now been notified by mail and individuals whose Social Security number or driver’s license number was exposed have been offered complimentary credit monitoring services for 12 months.

In all of the phishing attacks, Verity Health identified the breach quickly and promptly terminated unauthorized access to the compromised accounts. The accounts were then disabled and affected computers were disconnected from the network and all emails that the attackers sent from the compromised accounts were deleted from the email network.

The attacks have prompted Verity Health to deploy a new phishing training module and all employees will be required to complete the training. A new project has also been launched to improve email security, which includes compulsory password resets and disabling unknown URLs.

Author: HIPAA Journal

Share This Post On