Verity Health System’s St. Vincent Medical Center discovered the compromise of a web email account because of a phishing attack.
The breach took place on March 15, 2019 where a hospital pathologist’s email account was compromised. St. Vincent Medical Center detected the compromised account on March 26 and secured it within hours.
In the period that the email account was accessible, an unauthorized person used it to deliver phishing emails with malicious attachments and hyperlinks to internal and external contacts. Based on a substitute breach notice presented to the California Attorney General, the phishing emails did not result to a breach of other employee accounts.
Although it seemed that the motive of the attacker was to get the login credentials of other email accounts, when the account was accessible, the attacker had potential full access to emails, folders and attachments. Yet the investigation cannot confirm if the attacker accessed or copied any patient data in emails and email attachments.
Reviewing the emails confirmed that the protected health information (PHI) of some patients were accessible to the attacker. The PHI included the patients’ names, addresses, telephone numbers, birth dates, Social Security numbers, medical record numbers, service dates, health conditions, treatments received, laboratory test results, and health plan names.
When the breach was discovered, St. Vincent Medical Center blocked the unauthorized account access and removed all phishing emails sent using the account from the email system. The email account of employees found to have clicked links in the phishing emails were also disabled.
Verity Health System has encountered several phishing attacks in the last few months. This breach happened after two attacks- one in December 2018 and one in January 2019. Almost 15,000 patients were affected in the January attack.
Verity Health already implemented more email security controls to stop malicious emails including multi-factor authentication, counseling and re-education of people and implementation of a new security module.
At this time, it is not yet known how many patients were impacted by the attack on St. Vincent Medical Center.