Phishing Attack on Verity Health System Exposes Patients’ PHI

Verity Health System is a network of 6 hospitals based in Redwood City, California. It has encountered a phishing attack on November 27, 2018 resulting in the potential compromise of the protected health information (PHI) of some patients.

A hacker was able to obtain a Verity Health employee’s Office 365 credentials as a consequence of responding to a phishing email. For about 1.5 hours, an unauthorized person got access to the email account of the employee and used it to send phishing emails to other employees of Verity Health and to the people on the contact list of the employee. There’s a hyperlink in the phishing emails that takes the message recipients to a malicious site. When the breach was investigated, it was confirmed that no recipient of the phishing emails revealed their account credentials.

The purpose of the attacker seemed to be just to get more account credentials instead of getting sensitive information from the compromised employee account. Nevertheless, it is likely that the attacker viewed or obtained some of the patients’ PHI while accessing the account. The good thing is, rapid discovery and remediation of the data breach minimized the possibilities for data theft.

Investigators analyzed the email messages and attachments in the account and affirmed having found some patients’ PHI, but it wasn’t possible to ascertain if the attacker viewed or copied any of the emails. There were no reports of messages in the account being forwarded to other email addresses. Nor was there any indication of theft or misuse of any patient information.

Verity Health informed the patients whose PHI were potentially compromised about the breach by mail. It was stated in the breach notification letters that the types of patient information included in the account were names, telephone numbers, addresses, birth dates, Social Security numbers, treatment details, dates of service, health conditions, billing codes, laboratory test findings, health plan names and medical insurance policy numbers, patient ID numbers, claims details, subscriber numbers and information about medical care payment.

When Verity Health System discovered the breach, prompt steps were taken to secure data including disabling the compromised email account, disconnecting the user’s computer from the network and deleting all the unauthorized emails sent using the compromised account from the email system. The email accounts of the email recipients who clicked the hyperlink in the email were also disabled as a preventative measure.

Training was also provided to all users who clicked the hyperlink in the phishing emails. A new training module was created for all employees to increase their awareness about the phishing threat. A project was also developed and released to improve email security, including the deactivation of all unidentified URLs sent in emails.

Although the risk of identity theft and fraudulence is considered to be low, Verity Health offered all people affected by the data breach 12 months of identity theft and credit monitoring services for free.

The breach report was already submitted to the California Attorney General’s Office and other pertinent authorities. There’s no mention yet about the ıncident on the HHS’ Office for Civil Rights breach portal, thus the exact number of persons impacted by the breach is still unknown.