Go to listing page

Verity Medical Foundation notifies of another security incident involving data exposure

Verity Medical Foundation notifies of another security incident involving data exposure
  • This is the third time the organization has witnessed a security incident in January.
  • It is estimated that over 14,000 patients are affected by the breach made on an employee’s email account.

Healthcare provider Verity Medical Foundation (VMF) has notified patients of a third security incident it suffered at the start of this year. Reportedly, 14,000 patients are said to be impacted by a breach carried out by an intruder on their systems. It was reported that the outsider gained unauthorized access to an employee’s email account that had sensitive health information.

Worth noting

  • VMF informed that the incident occurred on January 16, 2019, right after the first two phishing incidents.
  • The ‘third party’ attacker broke into an Office 365 web email account of an employee and sent phishing emails to internal as well as external email accounts to obtain user names and passwords. The method was similar to the two phishing attacks perpetrated earlier.
  • Apart from names and passwords, specific information such as dates of birth, patient identification numbers, phone numbers, addresses, names of health plans and treatment received were believed to be compromised.
  • Social security numbers and health insurance related information were also included among them.
  • VMF mentions that no payment or financial information was affected by the incident.

What measures were taken?

As soon as the incident came to light, VMF said it removed the compromised email account. Furthermore, it said that no other entities were impacted by the breach.

“Since this incident, the Foundation has provided individual counseling and re-education to the individuals involved, is deploying a new mandatory training module for all employees, and has initiated a project to enhance security, including mandating password resets for all employees and disabling unknown URLs,” the official notification mentioned.

Cyware Publisher