Oh dear. When I saw Verity Medical Foundation listed on HHS’s public breach tool this month with more than 14,000 patients impacted, I thought it might be just an updated report for the two incidents that they had disclosed in January.
But no. It appears that Verity had yet another breach. Like the first two, this one involved unauthorized access to an employee’s email account. And like the first two, this one was caught quickly — within hours.
Yet less than two weeks before they would disclose two incidents involving unauthorized access to employees’ email accounts, they had experienced a third incident. This one occurred on January 16, 2019. And as in the first two incidents, the employee’s email account had protected health information in it or attached to it.
So what did Verity do in response? Well, part of what they did is described in one of their notification letters:
Since this incident, the Foundation has provided individual counseling and re-education to the individuals involved, is deploying a new mandatory training module for all employees, and has initiated a project to enhance security, including mandating password resets for all employees and disabling unknown URLs.
There are actually four type of notification letters and you can find the templates for them here.VMF Notice A_0