- Verity Health System and Verity Medical Foundation are notifying patients that their data was potentially breached by two separate phishing attacks.
According to officials, one cyberattack occurred in November and the other in mid-January. In doing so, a hacker gained access to three employee web email accounts, including access to attachments and messages.
Upon discovery, access to these accounts was terminated within hours by the Verity IT team. The email accounts were also disabled, and the services were disconnected from the network, while all unauthorized emails sent by the account were deleted.
An investigation revealed the attack appeared to be an attempt to obtain user credentials. Credential-stealing attacks skyrocketed in 2018, as hackers shifted away from straight malware infections. The goal is to obtain usernames and passwords, which would give hackers access to other network entry points.
The compromised email accounts contained a wide range of data that varied by patient, including names, treatment details, medical conditions, health insurance policy numbers, and billing codes. The attachments included subscriber numbers, dates of birth, patient identification numbers, addresses, and phone numbers.
For some patients, Social Security numbers and driver’s license numbers were breached. These patients will receive a year of free credit monitoring. Further, some Verity employee data was also breached.
Officials said Verity Medical Foundation, and other Verity-owned facilities were involved, such as O’Connor Hospital, St. Louise Regional Hospital, Seton Medical Center (including its Seton Coastside campus), St. Francis Medical Center, and St. Vincent Medical Center were also impacted.
“Verity remains committed to protecting the privacy and security of the health and other personal information it maintains for patients, employees, professionals, and other third parties,” officials said in a statement.
“The organization is deploying a new mandatory training module for all employees, and has initiated a project to enhance security, including mandating password resets for all employees and disabling unknown URLs,” they added.
It’s been a tough year for Verity. The six-hospital health system filed for bankruptcy in August. And in October, Verity Health filed a motion to auction off its hospitals in Santa Clara County, California.
This is also the second breach for Verity in the last two years. In February 2017, the health system reported that a hacker potentially accessed the website of the Verity Medical Foundation-San Jose Medical Group and breached the data of more than 9,000 patients.