Not once, not twice, but THREE times… A California-based health system recently reported a breach of patient data after two phishing attacks in November and mid-January that gave a hacker access to three employee web email accounts.  

During the incident, the hacker sent emails containing malicious links to a wide range of internal and external accounts without authorization.  Officials said it appears the hacker was attempting to obtain usernames and passwords from email recipients.  

The Good News:  The unauthorized individual did not gain access to any other Verity employee email accounts, the network, or servers, officials confirmed. Access was terminated within hours and the device was disconnected from the internet. All unauthorized emails were deleted and “all email accounts where the user clicked on the link before the email was deleted” were disabled.

The Bad News:  However, during the several hours of access, the hacker had the ability of accessing emails and attachments. The investigation determined one or more of those attachments included some protected health information for about 14,894 patients.

The compromised emails contained a trove of sensitive information including: names, patient identification numbers, dates of birth, phone numbers, addresses, health plan names, treatment details, medical procedures and conditions, lab test data, medical equipment information, billing codes, dates of service, payment information, claims history, health insurance policy numbers, subscriber identification, health insurance identifiers, application and claims history, Social Security numbers, and driver’s licenses.

Risk to Small Business: 2.333 = Severe: VMF recently notified its patients of another security breach it suffered on January 16th of this year, immediately following two similar phishing incidents. A hacker was able to compromise an employee’s Office 365 account for several hours and send phishing emails internally and externally to gather usernames and passwords. Although the organization maintains that there is no evidence of patient information being accessed, they will now face scrutiny by the media and patients, along with being forced to deploy mandatory training for employees.

Individual Risk: 2.571 = Severe: Aside from account usernames and passwords, protected health information including DOBs, patient identification numbers, phone numbers, addresses, health plans, treatments received, SSNs, and even insurance details may have been exposed. While the company believes that it was unlikely that the attacker was after the data, affected patients should enlist in identity monitoring and additional security measures.

Customers Impacted: 14,894 patients
How it Could Affect Your Customers’ Business: The compounding effects of back-to-back breaches can amount to serious losses for organizations. Even worse, employee phishing attacks are entirely preventable through the implementation of security training and education. If breach occurs, businesses are forced to enroll their employees in such programs anyway, and likely at a higher cost. By then, however, the damage will have already been done.

Contrast to the Rescue:  With our technology, we can simulate phishing attacks and conduct security awareness training campaigns to educate your employees, making them the best defense against cybercrime.  Want us to come to your business?  Give us a call: 570-966-1515.

Share This