Phoenix Children’s Hospital & New York Nursing Center Impacted by Phishing Incident

A business email compromise (BEC) attack has impacted Village Center for Care dba VillageCare Rehabilitative and Nursing Center (VRNC) and Village Senior Services Corporation dba VillageCareMAX (VCMAX). BEC attacks involve the impersonation of an executive, either using the executive’s actual email account compromised in a previous attack, or by spoofing the executive’s email address.

An unauthorized person, pretending to be part of the executive team, requested sensitive data on VRNC patients and VCMAX members. Believing the request to be legitimate, the employee responded and supplied the information as requested. VCMAX and VRNC were alerted to a possible BEC attack on or around December 30, 2019.

The investigation showed the request was not authentic and sensitive data on VRNC patients and VCMAX members had been impermissibly shared. The data shared by email included the names and Medicaid ID numbers of 2,645 VCMAX members and first and last names, dates of birth, insurance supplier names, and Insurance ID numbers of 674 VRNC patients.

There have been no reports of improper use of personal information, but all affected persons have been advised to be vigilant and check accounts, credit reports, and explanation of benefits statements for signs of fraudulent activity. VCMAX and VRNC are reviewing and enhancing their policies and processes to stop additional attacks of this nature in the future.

1,860 People Affected in Phishing Attack on Phoenix Children’s Hospital

The email accounts of seven workers of Phoenix Children’s Hospital have been compromised as a result of a targeted phishing attack between September 5 and September 20, 2019.

Upon identification of the breach, a leading computer forensic company was engaged to investigate the extent of the breach. The hospital learned on November 15, 2019 that the impacted accounts contained the protected health information of 1,860 existing and former patients, which may have been viewed or obtained by the hackers.

The accounts were found to include patient names, personal data and, for some individuals, limited health data and Social Security numbers.

On January 14, 2020, Phoenix Children’s Hospital started alerting impacted patients by mail. Free credit monitoring and identity theft protection services have been offered to patients whose Social Security number was potentially obtained.

Author: Maria Perez