Cyber Incident Victim: Verity Health System

Verity Health System, which operates Seton Medical Center and five other California hospitals, discovered unauthorized access to its Verity Medical Foundation-San Jose Medical Group website on January 6, 2017. The health system’s internal investigation determined the breach began in October 2015 and continued until its detection in January 2017. The compromised website, no longer operational at the time of discovery, contained patient information dating from 2010 to 2014. Exposed data included names, dates of birth, medical record numbers, physical addresses, email addresses, phone numbers, and the last four digits of credit card numbers. Social Security numbers and full credit card details were not stored in the affected system. Verity Health took immediate action to secure the website, terminate unauthorized activity, and implement safeguards against future incidents. The organization did not disclose the exact number of affected individuals but acknowledged notifying "thousands" of patients across its network.

Verity Health CEO Andrei Soran confirmed the organization notified impacted patients by mail as required by law and established a dedicated call center to address inquiries. The health system offered complimentary credit monitoring services for one year to affected individuals despite the absence of exposed Social Security numbers. Verity engaged an unspecified leading cybersecurity firm to conduct additional evaluations of its information systems' integrity. The breach notification emphasized enhanced protective measures for future operations but did not specify technical details of the website vulnerabilities or the attacker’s methods. No evidence of data misuse was reported at the time of disclosure. The incident marked a significant security event for the newly formed health system, which had been operating for approximately one year prior to the breach’s discovery.