Verity Health system encountered its third phishing attack in January 2019 in three months, which impacted the protected health information (PHI) of 14,894 patients. The health system also suffered a successful two attacks in November 2018. One employee email account was compromised on each occasion.
Verity Health System said in its breach notification letters that no evidence was found that suggested unauthorized persons accessed any patients’ PHI. It is believed that the attacks were conducted to launch further phishing attacks on other people within the organization, though unauthorized data access could not be ruled out.
The following types of data were exposed in the most recent attack: Names, birth dates, addresses, contact phone numbers, diagnoses, treatment data, patient ID numbers, medical insurance policy numbers, subscriber numbers and billing codes. The Social Security numbers and driver’s license numbers of some patients were also included in some of the emails and attachments. The personal information of some Verity Health employees was also exposed.
The breach affected patients that had received healthcare services at Verity Health’s O’Connor Hospital, St. Francis Medical Center, St. Louise Regional Hospital, Seton Medical Center, St. Vincent Medical Center and the Seton Coastside campus. The breach also affected some Verity Medical Foundation patients.
Verity Health System has notified by mail all the patients impacted by the breach and offered one year complimentary credit monitoring services to the people whose Social Security number or driver’s license number was exposed.
In all the phishing incidents, Verity Health detected the breach promptly and ended unauthorized access to the breached accounts. The accounts were inactivated and the impacted computers were disconnected from the network. All emails sent by the attackers using the compromised accounts were wiped from the email system.
Because of the attacks, Verity Health has deployed a new training module covering phishing awareness and requires all employees to complete the training. A new email security improvement program has also been launched.