PHI of patients at Verity Health System exposed

Protected Health Information (PHI) of patients at Verity Health System has been exposed and possibly compromised in a phishing attack on 2016, then twice again in phishing attacks on November 2018, and now in the latest phishing attack on January 2019. This latest phishing incident possibly compromised data of 14,894 patients. In this latest phishing incident, an unauthorized individual has gained access to web email accounts, which includes attachments, of three employees.

In all these phishing attacks, the breach was identified by Verity Health quickly. The security team thus promptly terminated the unauthorized access to compromised accounts, as well as then disabled these compromised accounts. The affected computers were then disconnected from their network, and all the emails that attackers sent from compromised accounts have been deleted from email network.

In their breach notification letters, Verity Health System said that no proof was found to suggest any of the patients PHI was accessed by the unauthorized individuals. But still the investigation cannot rule out access to PHI, although the officials said it seems that the attack was conducted to perpetrate more phishing attacks on the other employees in order to obtain the user credentials.

The information types exposed in this latest attack includes the names, dates of birth, contact telephone numbers, addresses, diagnoses, policy numbers of health insurance, treatment information, patient ID numbers, billing codes, and subscriber numbers. A few of this files attached to the emails also included the driver's license numbers and Social Security numbers. Moreover, some employees of Verity Health also had their personal information exposed.

The patients who are affected by this breach had earlier received medical services in Verity Health's O'Connor Hospital, St. Vincent Medical Center, St. Francis Medical Center, St. Louise Regional Hospital, and the Seton Medical Center, which includes Seton Coastside campus. A few patients of Verity Medical Foundation were also affected.

Now, all the patients affected by this breach were being notified by mail. Moreover, the individuals whose driver's license numbers and Social Security numbers were exposed are offered complimentary services of credit monitoring for 12 months.

The officials stated in a statement that "the organization is deploying a new mandatory training module for all employees and has initiated a project to enhance security, including mandating password resets for all employees and disabling unknown URL".

» SPAMfighter News - 4/6/2019