St. Vincent Medical Center, a part of Verity Health System, has announced a staff email account has been hacked following a response to a phishing email.
The breach took place on March 15, 2016 and involved the email account of a hospital pathologist. The account compromise was discovered on March 26 and the account was secured within hours.
During the period of time time that the unauthorized individual had access to the account, it was used to issue phishing emails to internal and external email addresses. Those messages included malicious attachments and hyperlinks. A substitute breach notice provided to the California Attorney General stated that no other employee accounts were breached as a result of misuse of the email account.
While the intention of the hacker appears to have been to obtain login details to other email accounts, during the time that the account was accessible, full access to emails, folders, and email attachments was possible. The review into the breach could not confirm whether any patient data in emails and email attachments had been accessed or copied by the hacker.
An audit of those emails confirmed they included the PHI of certain patients including names, addresses, phone numbers, dates of birth, Social Security numbers, medical record numbers, dates of service, medical conditions, treatments supplied, lab test results, and health plan names.
Upon identification of the breach, unauthorized access to the account was ended and all phishing emails sent from the account were deleted from the email system. Employees found to have clicked on links in the emails also had their email accounts disabled and secured.
Verity Health System has suffered many phishing attacks in the past few months. This incident comes after two attacks in late December 2018 and another attack in January. The January attack impacted up to 15,000 patients.
Verity Health has now added more email security controls to block malicious emails along with multi-factor authentication. Workers involved have been given with counseling and re-education and a new security module has been deployed.