- Two separate phishing attacks occurred in November 2018 and January 2019 respectively.
- The phishing attacks enabled the hackers to gain access to three employee web email accounts that contained attachments and messages.
Verity Health System and Verity Medical Foundation have suffered two potential breaches, resulting in the compromise of personal data of an unknown number of patients. The data was compromised by hackers in two separate phishing attacks that occurred in November 2018 and January 2019 respectively.
Employee email accounts compromised
According to officials, the phishing attacks enabled the hackers to gain access to three employee web email accounts that contained attachments and messages. The compromised email account included a wide variety of data such as patients’ names, treatment details, medical conditions, health insurance policy numbers and billing codes.
The attachments included subscribers numbers, dates of birth, patient identification numbers, addresses and phone numbers. For some, Social Security number and driver’s license number were also breached.
The attacks affected other facilities of Verity healthcare such as O’Connor Hospital, St. Louise Regional Hospital, Seton Medical Center (including its Seton Coastside campus), St. Francis Medical Center, and St. Vincent Medical Center.
What actions were taken?
Upon discovery, the access to the compromised email accounts was disabled and the services were also disconnected from the network. All unauthorized emails sent from the compromised accounts were also deleted.
The healthcare firm has notified its patients and law enforcement agencies as well. Investigation reveals that the attacks were carried out in an attempt to obtain user credentials.
In the wake of the attacks, the firm has started a new mandatory training module for all its employees. It is also working toward enhancing the security of its systems and infrastructures.
“The organization is deploying a new mandatory training module for all employees, and has initiated a project to enhance security, including mandating password resets for all employees and disabling unknown URLs,” said the firm in its breach notice.
It is also providing the affected patients a year of free credit monitoring service.