Multiple Phishing Attacks Hit California’s Verity Health System

The Redwood City, Calif.-based Verity Health System and Verity Medical Foundation are notifying patients that some of their personal information may have been accessed without authorization by an unknown third party.

According to a notice from the organization dated Jan.25, in two incidents in late November and one in mid-January, Verity discovered that an unauthorized third party obtained access to three Verity employee’s web email accounts, including access to any emails or attachments residing in the email accounts.

Although the unauthorized access was terminated by a security team, Verity officials do believe the access was an effort to obtain user names and passwords of other users. But at the same time, the organization says it has no evidence that the emails or attachments in the affected accounts were accessed, used, forwarded or sent by the third party.

The health system contains six hospitals—as well as Verity Physician Network and Verity Medical Foundation—and has approximately 8,000 associations and physicians.

According to Verity’s investigation, officials determined that some of the emails and attachments residing in the email accounts accessed without authorization contained health or medical information, including, for example, names, treatment information, medical condition, billing codes, and health insurance policy numbers. Other emails and attachments contained personal information, including, for example, names, health insurance policy numbers, subscriber numbers, dates of birth, patient identification numbers, phone numbers, and addresses, officials reported.

Patients from Verity Medical Foundation, in San Jose, and each of the Verity hospitals, namely O’Connor Hospital, St. Louise Regional Hospital, Seton Medical Center (including its Seton Coastside campus), St. Francis Medical Center, and St. Vincent Medical Center, may have been impacted.

“While Verity has no evidence that any of this information has been used inappropriately and is not aware of any reports of identity theft or fraud related to these events, out of an abundance of caution, Verity is notifying potentially affected individuals to provide additional information about what happened and guidance on how they can protect themselves,” the notice read.