Cyber Incident Victim: VEP Healthcare

In late 2019, VEP Healthcare, a Concord, California-based emergency medicine and hospital staffing firm, experienced a cybersecurity incident stemming from a phishing attack. Unauthorized actors gained access to a portion of the organization's email accounts between November 19, 2019, and January 20, 2020. The breach persisted undetected for over a year until a forensic investigation confirmed the intrusion on March 11, 2020. While the compromised email accounts contained patient personal information, the specific data elements exposed were not publicly disclosed. VEP Healthcare stated there was no evidence suggesting misuse of the accessed data during the unauthorized exposure period. The incident impacted patients whose information resided in the affected email accounts, though the total number of affected individuals remained unspecified in available reports.

VEP Healthcare initiated patient notifications following the investigation's completion and implemented remedial measures to address the breach. The organization offered affected individuals a comprehensive one-year identity theft protection package through IDX, featuring continuous credit monitoring, cyber surveillance scans, and fully managed identity restoration support. This package included a $1 million insurance reimbursement policy covering certain identity theft-related expenses. The breach notification emphasized transparency regarding the incident's timeline while maintaining that no evidence indicated actual exploitation of the exposed data. VEP Healthcare's response focused on mitigating potential future risks to patients rather than confirming any concrete instances of harm resulting from the email account compromises.