Cyber Incident Victim: Verity Health System of California, Inc.
Date:
Nov 2019
Location:
United States of America
Summary
Verity Medical Foundation experienced unauthorized access to three employee email accounts, compromising emails and attachments containing sensitive health and personal information such as patient names, treatment details, medical conditions, insurance data, dates of birth, contact information, and in some cases Social Security or driver’s license numbers. The organization promptly terminated access, disabled affected accounts, and removed unauthorized communications, finding no evidence of data misuse but offering credit monitoring to individuals with exposed sensitive identifiers. Security enhancements included mandatory employee training, system-wide password resets, and restrictions on unknown URLs to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late November 2018 and mid-January 2019, Verity Health System of California, Inc. and Verity Medical Foundation experienced three separate security incidents involving unauthorized access to three employee web email accounts by an unknown third party. Verity discovered that the attacker compromised these accounts, potentially accessing emails and attachments stored within them. The organization’s Information Security Team responded within hours of each discovery by terminating the unauthorized access, disabling the impacted email accounts, disconnecting associated devices from the network, and removing all unauthorized emails sent to affiliated employees. Verity’s investigation indicated the intrusion aimed to harvest user credentials rather than access specific patient data, with no evidence suggesting the attacker viewed, forwarded, or misused emails or attachments. The compromised accounts contained a range of sensitive information, including health records and personal identifiers related to patients, employees, physicians, and other third parties affiliated with Verity’s network of medical facilities.
The investigation confirmed that exposed health information included patient names, treatment details, medical conditions, billing codes, and health insurance policy numbers. Personal information in the accounts encompassed names, dates of birth, addresses, phone numbers, health insurance subscriber numbers, patient ID numbers, and in some attachments, Social Security numbers and driver’s license numbers. Individuals associated with Verity Medical Foundation and Verity hospitals—O’Connor Hospital, St. Louise Regional Hospital, Seton Medical Center (including Seton Coastside), St. Francis Medical Center, and St. Vincent Medical Center—were potentially affected. Although Verity found no evidence of identity theft, fraud, or misuse of data, it notified all potentially impacted individuals and regulatory bodies out of caution. The organization offered one year of complimentary credit monitoring to those whose Social Security or driver’s license numbers were exposed. Verity implemented enhanced security measures including mandatory employee password resets, disabling unrecognized URLs, and deploying new security training modules. A dedicated call center was established to address inquiries, and incident details were published on Verity’s website alongside regulatory notifications.