PHI Potential Exposure Due to Phishing Attack on St. Vincent Medical Center

St. Vincent Medical Center of Verity Health System discovered a phishing attack that led to the compromise of a hospital pathologist’s web email account.

The breach of the email account occurred on March 15, 2019 but it was discovered on March 26 and secured it within hours.

In the time when the unauthorized person accessed the email account, phishing emails containing malicious attachments and hyperlinks were sent using the account to internal and external contacts. A substitute breach notice given to the California Attorney General claims that no other employee account was breached because of the phishing emails.

It appeared that the attacker’s intent was to get other email accounts’ login information. But the attacker got access to the account and potentially accessed emails, folders and attachments. It is not confirmed though by the investigation that the attacker viewed or copied patient data contained in the emails and attachments.

Analysis of the emails proved that the attacker had access to some patients’ protected health information (PHI), such as names, addresses, birth dates, telephone numbers, Social Security numbers, health plan names, medical record numbers, health conditions, service dates, treatments acquired and laboratory test results.

As soon as the breach was uncovered, St. Vincent Medical Center stopped the unauthorized email account access and eliminated from the email system the phishing emails sent through the compromised account. All email accounts of employees that were associated to clicking phishing links were also inactivated. Verity Health had enforced extra email security controls such as multi-factor authentication, re-training of employees and setup of a new security module.

Verity Health System already encountered a number of phishing attacks in the past months. This breach took place subsequent to recent attacks in December 2018 and January 2019, where 15,000 patients were affected. In the latest breach, the number of patients that were affected by the breach is not yet known.