Two recent phishing attacks gave a hacker access to three employee web email accounts, including attachments with personal data. Verity Health System and Verity Medical Foundation are notifying patients that their data was potentially breached by these attacks, which occurred in November 2018 and in January 2019, as reported by HealthITSecurity.
Upon discovery, access to these accounts was terminated within hours by the Verity IT team. The email accounts were also disabled, and the services were disconnected from the network, while all unauthorized emails sent by the account were deleted.
An investigation revealed the attack appeared to be an attempt to obtain user credentials. Credential-stealing attacks skyrocketed in 2018, as hackers shifted away from straight malware infections. The goal is to obtain usernames and passwords, which would give hackers access to other network entry points.
The compromised email accounts contained a wide range of data that varied by patient, including names, treatment details, medical conditions, health insurance policy numbers, and billing codes. The attachments included subscriber numbers, dates of birth, patient identification numbers, addresses, and phone numbers.
For some patients, Social Security numbers and driver’s license numbers were breached. These patients will receive a year of free credit monitoring. Further, some Verity employee data was also breached.
This is the second breach for Verity in the last two years. In February 2017, the health system reported that a hacker potentially accessed the website of the Verity Medical Foundation-San Jose Medical Group and breached the data of more than 9,000 patients.
Concerned your staff is not educated on potential risks? Contact HIPAAcraticRx for a Security Risk Analysis and staff training. For more information on HIPAA security, contact HIPAAcraticRx.