Verity Health System of California, Inc. and Verity Medical Foundation Notify Individuals and Regulatory Bodies of Data Security Incident
From their public notification:
[El Segundo, CA, January 25, 2019] – Although there is no evidence of the unauthorized access or use of individual health or personal information, Verity Health System of California, Inc. and Verity Medical Foundation (collectively “Verity”) are notifying potentially affected individuals that some of their personal information may have been accessed without authorization by an unknown third party.
In two incidents in late November and one in mid-January, Verity discovered that an unauthorized third party obtained access to three Verity employee’s web email accounts, including access to any emails or attachments residing in the email accounts. Within hours of learning of each incident, the Verity Information Security Team promptly terminated the unauthorized access, disabled the impacted email accounts, disconnected the devices from the network, and removed all unauthorized emails sent to affiliated employees. . Based on its investigation to date, Verity believes the access was an effort to obtain user names and passwords of other users, and has no evidence that the emails or attachments in the affected accounts were accessed, used, forwarded or sent by the third party.
Verity’s investigation determined that some of the emails and attachments residing in the email accounts accessed without authorization contained health or medical information, including, for example, names, treatment information, medical condition, billing codes, and health insurance policy numbers. Other emails and attachments contained personal information, including, for example, names, health insurance policy numbers, subscriber numbers, dates of birth, patient identification numbers, phone numbers, and addresses. Some attachments also included social security numbers and/or driver’s license numbers. Some patients from Verity Medical Foundation, and each of the Verity hospitals, namely O’Connor Hospital, St. Louise Regional Hospital, Seton Medical Center (including its Seton Coastside campus), St. Francis Medical Center, and St. Vincent Medical Center may be impacted by this incident. The affected email accounts may also have included personal or health information of some Verity employees and other third parties, including physicians and practitioners who work at these facilities.
While Verity has no evidence that any of this information has been used inappropriately and is not aware of any reports of identity theft or fraud related to these events, out of an abundance of caution, Verity is notifying potentially affected individuals to provide additional information about what happened and guidance on how they can protect themselves. Verity regrets any concern these events may cause and is providing credit monitoring services for one year free of charge to any individual whose social security number or driver’s license number was contained in the impacted web email accounts. Verity is also reporting these incidents to all appropriate regulatory bodies.
Verity remains committed to protecting the privacy and security of the health and other personal information it maintains for patients, employees, professionals, and other third parties. The organization is deploying a new mandatory training module for all employees, and has initiated a project to enhance security, including mandating password resets for all employees and disabling unknown URLs.
In addition, Verity has established a call center to answer questions and provide additional information about these events. If you would like to reach the call center, please call 877-354- 7979 from Monday through Friday, 6:00 a.m. – 6:00 p.m. (Pacific Time). Additional information is posted on Verity’s website at: www.verity.org.
The number of patients being notified was not included and the incident is not yet on HHS’s public breach tool, so this post may be updated at some point.